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Why GAO Did This Study 

The Department of Homeland 
Security (DHS) has established a 
program known as U.S. Visitor and 
Immigrant Status Indicator 
Technology (US-VISIT) to collect, 
maintain, and share information, 
including biometric identifiers, on 
certain foreign nationals who travel 
to the United States. By 
congressional mandate, DHS is to 
develop and submit an expenditure 
plan for US-VISIT that satisfies 
certain conditions, including being 
reviewed by GAO. GAO reviewed 
the plan to (1) determine if the plan 
satisfied these conditions, (2) 
follow up on certain 
recommendations related to the 
program, and (3) provide any other 
observations. To address the 
mandate, GAO assessed plans and 
related documentation against 
federal guidelines and industry 
standards and interviewed the 
appropriate DHS officials. 



What GAO Recommends 



Because outstanding 
recommendations already address 
all of the management weaknesses 
discussed in this report, GAO is 
reiterating prior recommendations 
and recommending that the 
Secretary of DHS report to the 
department's authorization and 
appropriations committees on its 
reasons for not fully addressing the 
legislative conditions and prior 
GAO recommendations. DHS 
largely agreed with the report and 
provided additional information 
and views that GAO has 
incorporated and addressed in the 
report as appropriate. 

www.gao.gov/cgi-bin/getrpt?GAO-07-1065. 

To view the full product, including the scope 
and methodology, click on the link above. 
For more information, contact Randolph C. 
Hite at (202) 512-3439 or hiter@gao.gov. 



What GAO Found 

The US-VISIT expenditure plan, including related program documentation 
and program officials' statements, satisfies or partially satisfies some but not 
all of the legislative conditions required by the Department of Homeland 
Security Appropriations Act, 2007. For example, the department satisfied the 
condition that it provide certification that an independent verification and 
validation agent is currently under contract for the program and partially 
satisfied the condition that US-VISIT comply with DHS's enterprise 
architecture. However, the department did not satisfy the conditions that the 
plan include a comprehensive US-VISIT strategic plan and a complete 
schedule for biometric exit implementation. 

DHS partially implemented GAO's oldest open recommendations pertaining 
to US-VISIT. For example, while the department partially completed the 
recommendation that it develop and begin implementing a US-VISIT system 
security plan, the scope of the plan does not extend to all the systems that 
comprise US- VISIT. In addition, while the expenditure plan provides some 
information on US-VISIT's cost, schedule, and benefits associated with 
planned capabilities, the information provided is not sufficiently defined and 
detailed to address GAO's recommendation and provide a reasonable basis 
for measuring progress and holding the department accountable for results. 

GAO identified several additional observations. On the positive side, DHS 
data show that the US- VISIT prime contract is being executed according to 
cost and schedule expectations. However, DHS continues to propose 
disproportionately heavy investment in US-VISIT program management- 
related activities without adequate justification or full disclosure. Further, 
DHS continues to propose spending tens of millions of dollars on US-VISIT 
exit projects that are not well-defined, planned, or justified on the basis of 
costs, benefits, and risks. 

Overall, the US-VISIT fiscal year 2007 expenditure plan and other available 
program documentation do not provide a sufficient basis for effective 
program oversight and accountability. Both the legislative conditions and 
GAO's open recommendations are aimed at accomplishing both, and thus 
they need to be addressed quickly and completely. However, despite ample 
opportunity to do so, DHS has not done so and the reasons why are unclear. 
Until these recommendations are addressed, GAO does not believe that the 
program's disproportionate investment in management-related activities 
represents a prudent and warranted course of action or to expect that the 
newly launched exit endeavor will produce results different from past 
results — namely, no operational exit solution despite expenditure plans 
allocating about a quarter of a billion dollars to various exit activities. 
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United States Government Accountability Office 
Washington, D.C. 20548 



August 31, 2007 

The Honorable Robert C. Byrd 
Chairman 

The Honorable Thad Cochran 
Ranking Member 

Subcommittee on Homeland Security 
Committee on Appropriations 
United States Senate 

The Honorable David E. Price 
Chairman 

The Honorable Harold Rogers 
Ranking Member 

Subcommittee on Homeland Security 
Committee on Appropriations 
House of Representatives 

The Department of Homeland Security (DHS) submitted to Congress in 
March 2007 its fiscal year 2007 expenditure plan for the U.S. Visitor and 
Immigrant Status Indicator Technology (US- VISIT) program pursuant to 
the Department of Homeland Security Appropriations Act, 2007. 1 US- VISIT 
is a governmentwide program to collect, maintain, and share information 
on foreign nationals who enter and exit the United States. The program's 
goals are to enhance the security of U.S. citizens and visitors, facilitate 
legitimate trade and travel, ensure the integrity of the U.S. immigration 
system, and protect the privacy of visitors to the United States. As required 
by the appropriations act, we reviewed US- VISIT'S fiscal year 2007 
expenditure plan. Our objectives were to (1) determine whether the 
expenditure plan satisfies legislative conditions specified in the 
appropriations act, (2) determine the status of our oldest open 
recommendations pertaining to US- VISIT, 2 and (3) provide observations 
about the expenditure plan and DHS' management of US-VISIT. 



'Pub. L. No. 109-295 (Oct. 4, 2006). 

2 Our reports on US-VISIT expenditure plans have resulted in 28 recommendations, 6 of 
which pertain to the US-VISIT expenditure plan and 22 of which pertain to the US-VISIT 
program. The recommendations that we focused on are those that have been open for 4 
years. For a full list of US-VISIT-related GAO reports, see appendix I, attachment 2. 
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On June 15, 2007, and on June 20, 2007, we briefed the staffs of the Senate 
and House Appropriations Subcommittees on Homeland Security, 
respectively, on the results of our review. This report transmits these 
results. The full briefing, including our scope and methodology, is reprinted 
in appendix I. 



Compliance with 
Legislative Conditions 



The US- VISIT expenditure plan, including related program documentation 
and program officials' statements, satisfies or partially satisfies some, but 
not all, of the legislative conditions. Specifically, the legislative conditions 
that DHS certify that an independent verification and validation agent is 
currently under contract for the program and that the DHS Investment 
Review Board, the Secretary of Homeland Security, and the Office of 
Management and Budget (OMB) review and approve the plan were 
satisfied. 3 However, DHS only partially satisfied the legislative conditions 
that it (1) meet the capital planning and investment control review 
requirements established by OMB, including OMB Circular A-ll, part 7; 
(2) comply with DHS' enterprise architecture; and (3) comply with federal 
acquisition rules, requirements, guidelines, and systems acquisition 
management practices. In addition, DHS did not satisfy the legislative 
conditions that the plan include (1) a comprehensive US- VISIT strategic 
plan and (2) a complete schedule for biometric exit implementation. 



Status of Open 
Recommendations 



DHS has partially implemented our recommendations pertaining to US- 
VISIT that have been open for 4 years. These recommendations, along with 
their status, are summarized here. 



• Recommendation: Develop and begin implementing a system security 
plan and perform a privacy impact analysis and use the results of this 
analysis in near term and subsequent system acquisition decision 
making. 

DHS has partially implemented this recommendation. In December 2006, 
the program office developed a US- VISIT security strategy and has since 
begun implementing it. However, the scope of this strategy does not extend 
to all the systems that comprise US- VISIT, such as the Treasury 



3 One additional legislative condition- 
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Enforcement Communications System (TECS). We recently testified 4 that 
TECS has neither the security controls and defensive perimeters in place 
for preventing an intrusion, nor the capability to detect an intrusion should 
one occur. Until a more comprehensive security strategy is developed, the 
systems that comprise US-VISIT could place it at increased risk. 

• Recommendation: Develop and implement a plan for satisfying key 
acquisition management controls, including acquisition planning, 
solicitation, requirements management, project management, contract 
tracking and oversight, evaluation, and transition to support, and 
implement the controls in accordance with Software Engineering 
Institute (SEI) guidance. 5 

DHS has partially implemented this recommendation. Since 2005, the 
program office reports progress in implementing 113 practices associated 
with six SEI key process areas. However, the six areas of focus do not 
include all of the management controls that our recommendations cover, 
such as solicitation and transition to support. As long as the program office 
does not address all of the management controls that we have 
recommended, it will unnecessarily increase program risks. 

• Recommendation: Ensure that expenditure plans fully disclose what 
system capabilities and benefits are to be delivered, by when, and at 
what cost, as well as how the program is being managed. 

DHS has partially implemented this recommendation. The fiscal year 2007 
expenditure plan discloses planned system capabilities, estimated 
schedules and costs, and expected benefits. However, schedules, costs, and 
benefits are not always defined in sufficient detail to be measurable and to 
permit oversight. Finally, the plan does not fully disclose challenges or 
changes associated with program management. Without such information, 
the expenditure plan may not provide Congress with enough information to 
exercise effective oversight and to hold the department accountable. 



4 House Committee on Homeland Security, Hacking the Homeland: Investigating 
Cybersecurity Vulnerabilities at the Department of Homeland Security: Hearing before 
the Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology, 
110th Cong., 1st sess., 2007. 

5 This recommendation merges two of our prior recommendations. 
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• Recommendation: Ensure that the human capital and financial 
resources provided are sufficient to establish a fully functional and 
effective program office and associated management capability. 

DHS has partially implemented this recommendation. At one point in 2006, 
all of the program office's 115 government positions were filled. However, 
21 positions have since become vacant. Without adequate human capital, 
particularly in key positions and for extended periods, program risks will 
increase. 

• Recommendation: Clarify the operational context within which US- 
VISIT must operate. 

DHS has partially implemented this recommendation. DHS has yet to 
define the operational context in which US- VISIT is to operate, such as 
having a departmentally approved strategic plan or a well-defined 
department enterprise architecture (EA). While the expenditure plan 
includes a departmentally approved US- VISIT strategic plan, it does not 
address key elements of relevant federal strategic planning guidance. 
Moreover, we recently reported 6 that the version of the department's EA 7 
that DHS has been using for US- VISIT alignment purposes was missing 
architecture content and was developed with limited stakeholder input. 
Finally, although program officials have met with related programs to 
coordinate their respective efforts, specific coordination efforts have not 
been assigned to any DHS entity. Until a well-defined operational context 
exists, the department will be challenged in its ability to define and 
implement US-VISIT and related border security and immigration 
management programs in a manner that promotes interoperability, 
minimizes duplication, and optimizes departmental capabilities and 
performance. 

• Recommendation: Determine whether proposed US-VISIT increments 
will produce mission value commensurate with costs and risks and 
disclose to its executive bodies and Congress the results of these 
business cases and planned actions. 



6 GAO, Homeland Security: DHS Enterprise Architecture Continues to Evolve, but 
Improvements Needed, GAO-07-564 (Washington D.C.: May 9, 2007). 

7 The focus of our review was DHS EA 2006. In March 2007, DHS issued HLS EA 2007. 
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DHS has partially implemented this recommendation. We recently reported 
that, while a business case was prepared for Increment IB, 8 the analysis 
performed met only four of the eight criteria in OMB guidance. Since then, 
the program office has developed business cases for two projects: Unique 
Identity and U.S. Travel Documents-ePassports (formerly Increment 2A), 
and we have ongoing work to address, among other things, these business 
cases. Further, the program office has yet to develop a business case for 
another project that it plans to begin implementing this year — biometric 
exit at air ports of entry (POE). Until the program office has reliable 
business cases for each US-VISIT project in which alternative solutions for 
meeting mission needs are evaluated on the basis of costs, benefits, and 
risks, it will not be able to adequately inform its executive bodies and 
Congress about its plans and will not provide the basis for prudent 
investment decision making. 

• Recommendation: Develop and implement a human capital strategy 
that provides for staffing open positions with individuals who have the 
requisite core competencies (knowledge, skills, and abilities). 

DHS has partially implemented this recommendation. In February 2006, we 
reported 9 that the program office issued a human capital plan and had 
begun implementing it. However, DHS stopped doing so during 2006 
pending departmental approval of a DHS-wide human capital initiative and 
because all program office positions were filled. However, as noted earlier, 
the program office now reports that it has 21 government positions — 
including critical leadership positions — that are now vacant. Moreover, it 
has stated that it developed a new human capital plan but we did not 
review this plan because it is still undergoing departmental review. Until 
the department approves the human capital plan and the program office 
begins to implement it, the program will continue to be at risk. 

• Recommendation: Develop and implement a risk management plan and 
ensure that all high risks and their status are reported regularly to the 
appropriate executives. 



8 Air and Sea Exit Deployment. 

9 GAO, Homeland Security: Recommendations to Improve Management of Key Border 
Security Program Need to Be Implemented, GAO-06-296 (Washington, D.C.: Feb. 14, 2006). 
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DHS has partially implemented this recommendation. US- VISIT has 
approved a risk management plan and has begun implementing it. 
However, the current risk management plan does not address when risks 
should be elevated beyond the level of the US-VISIT Program Director. 
According to program officials, elevation of US-VISIT risks is at the 
discretion of the Program Director, and no risks have been elevated to DHS 
executives since December 2005. Until the program office ensures that high 
risks are appropriately elevated, department executives will not have the 
information they need to make informed investment decisions. 

• Recommendation: Define performance standards for US-VISIT that are 
measurable and reflect the limitations imposed on US- VISIT capabilities 
by relying on existing systems. 

DHS has partially implemented this recommendation. The program office 
has defined technical performance standards for several increments, but 
these standards do not contain sufficient information to determine whether 
they reflect the limitations imposed by relying on existing systems. As a 
result, the ability of these increments to meet performance requirements 
remains uncertain and the ability to identify and effectively address 
performance shortfalls is missing. 



Observations on the 
Expenditure Plan and 
Management of US- 
VISIT 



While available data show that prime contract cost and schedule 
expectations are being met, aspects of the US- VISIT program continue to 
lack definition and justification. Each of our observations in this regard are 
summarized here. 

• Earned value management (EVM) data on ongoing prime contract task 
orders show that cost and schedule baselines are being met. 

EVM is a program management tool for measuring progress by comparing 
the value of work accomplished with the amount of work expected to be 
accomplished. 10 Data provided by the program office show that the 
cumulative cost and schedule variances for the overall prime contract and 
all 12 ongoing task orders are within an acceptable range of performance. 



10 The EVM system used by the prime contractor has yet to be certified by an outside agent 
(see briefing slide 36 in app. I for details). 
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• DHS continues to propose a heavy investment in program management- 
related activities without adequate justification or full disclosure. 

Program management is an important and integral aspect of any system 
acquisition program and should be justified in relation to the size and 
significance of the acquisition activities being performed. In 2006, program 
management costs represented 135 percent of planned development. This 
means that for every dollar spent on new capabilities, $1.35 was spent on 
management. The fiscal year 2007 expenditure plan similarly proposed 
investing $1.25 on management-related activities for every dollar invested 
in new development. However, the plan does not explain the reasons for 
the sizable investment in management-related activities or otherwise justify 
it on the basis of measurable expected value. Without disclosing and 
justifying its proposed investment and program management-related 
efforts, it is unclear that such a large amount of funding for these activities 
represents the best use of resources. 

• Lack of a well-defined and justified exit solution introduces the risk of 
repeating failed and costly past exit efforts. DHS has issued a high-level 
schedule for air exit, but information supporting that schedule is not yet 
available. In addition, there are no other exit program plans available 
that define what will be done, by what entities, and at what cost in order 
to define, acquire, deliver, deploy, and operate this capability. This 
includes developing plans describing expected system capabilities, 
identifying key stakeholder roles/responsibilities and buy-in, 
coordinating and aligning with related programs, and allocating funding 
to activities. Furthermore, DHS has not performed an analysis 
comparing the life cycle costs of the air exit solution to its expected 
benefits and risks. Since 2004, we have reported on a similar lack of 
definition and justification of prior US- VISIT exit efforts, even though 
prior expenditure plans have allocated funding of $250 million to 
completing these efforts. As of today, these prior efforts have not 
produced an operational exit solution. Without better definition and 
justification of its future exit efforts, the department runs the serious 
risk of repeating its past failures. 



Conclusions US-VISIT's prime contract cost and schedule metrics show that 

expectations are being met, according to available data, although the EVM 
system that the metrics are based on has yet to be independently certified. 
Notwithstanding this, such performance is a positive sign. 
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However, most of the many management weaknesses raised in this report 
have been the subject of our prior US- VISIT reports and testimonies and, 
thus, are not new. Accordingly, we have already made a litany of 
recommendations to correct each weakness, as well as follow-on 
recommendations to increase DHS attention to and accountability for 
doing so. Despite this, recurring legislative conditions associated with US- 
VISIT expenditure plans continue to be less than fully satisfied and 
recommendations that we made 4 years ago have still not been fully 
implemented. 

Exacerbating this situation is the fact that DHS did not satisfy two new 
legislative conditions associated with the fiscal year 2007 expenditure plan, 
and serious questions continue to exist about DHS' justification for and 
readiness to invest current, and potentially future, fiscal year funding 
relative to an exit solution and program management-related activities. 

DHS has had ample opportunity to address these many issues, but it has 
not. As a result, there is no reason to expect that its newly launched exit 
endeavor, for example, will produce results different from past 
endeavors — namely, DHS will not have an operational exit solution despite 
expenditure plans allocating about a quarter of a billion dollars to various 
exit activities. Similarly, on the basis of past efforts, there is no reason to 
believe that the program's disproportionate investment in management- 
related activities represents a prudent and warranted course of action. All 
told, this means that needed improvements in US-VISIT program 
management practices are long overdue. Both the legislative conditions 
and our open recommendations are aimed at accomplishing these 
improvements, and they need to be addressed quickly and completely. Thus 
far, they have not been, and the reasons that they have not are unclear. 



Because our outstanding US- VISIT recommendations already address all of 
the management weaknesses discussed in this report, we are reiterating 
our prior recommendations and recommending that the Secretary of DHS 
report to the department's authorization and appropriations committees on 
its reasons for not fully addressing its expenditure plan legislative 
conditions and our prior recommendations. 



Recommendation for 
Executive Action 
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AgGFlCy Comments and. ^ e rece i ve( i written comments on a draft of this report from DHS, which 
y^. -r-, , ,. were signed by the Director, Departmental GAO/IG Liaison Office, and are 

UUr ^Valuation reprinted in appendix II. 



In its comments, DHS stated that it agreed with the majority of our findings, 
adding that the department realizes, and our report supports the fact, that 
improvements to US-VISIT's management controls, operational context, 
and human capital are needed. DHS also stated that the US- VISIT program 
office would aggressively engage with us to address our open 
recommendations, noting that it appreciates the guidance provided by our 
reports. In this regard, DHS's comments described efforts completed, 
underway, and planned to address our recommendations, most of which 
were already reflected in the draft report. New information in DHS's 
comments covered its intentions relative to the next US- VISIT expenditure 
plan and the next US-VISIT strategic plan, both of which are to be issued in 
fiscal year 2008. This new information is consistent with the intent of our 
open recommendations. New information also included the US-VISIT 
Director's intention to communicate high-priority risks to the Under 
Secretary of the National Protection and Programs Directorate, which is 
also in line with our open recommendations. 

However, DHS also stated that it disagreed with the "partially complete" 
status that we assigned to one of our open recommendations. It also stated 
that our observation characterizing past US-VISIT exit efforts as failed and 
costly implicitly devalued the experience and empirical data that the 
department gained from these proof-of-concept efforts, and this 
observation did not recognize relevant information about the program's use 
of biographic exit procedures. We do not agree with either of these 
comments, as discussed below. 

• With the respect to the "partially complete" status that our report 
assigns to the open recommendation for the program to develop and 
begin implementing a system security plan, and to perform a privacy 
impact analysis and use the results of this analysis in near term and 
subsequent system acquisition decision making, DHS stated that it 
considers this recommendation satisfied. In this regard, the department 
describes a number of actions that the program has taken with respect 
to US- VISIT security and privacy. We do not take issue with the actions 
that DHS described, and would note that our draft report already 
recognizes them. Moreover, we too consider the privacy component of 
our recommendation satisfied. However, we do not agree with the 
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department's position relative to the scope of US- VISIT'S security 
strategy in that it does not address known vulnerabilities associated 
with a US- VISIT component system — TECS. 11 As we state in our report, 
TECS is an integral component of US-VISIT and, according to federal 
security standards, a system security plan, or in US- VISIT'S case the 
system security strategy, typically covers such component systems. 
Therefore, we believe that the US- VISIT security risk assessment and 
security strategy need to explicitly address such vulnerabilities, and 
thus we do not consider the entire recommendation as being fully 
satisfied. 

• With respect to our characterization of past US-VISIT exit efforts, the 
department stated that we incorrectly viewed these past efforts as "ends 
in themselves" and as "failed and costly" because they did not 
immediately conclude with operational systems. According to DHS, the 
program never intended for these efforts to be more than proof-of- 
concept learning experiences that would form the basis for more 
workable future system solutions. We do not agree with these 
comments. As we state in our report, the program first committed to full 
deployment of a biometric exit capability in 2003, and it has continued 
to make similar deployment commitments in subsequent years. At the 
same time, we have chronicled a pattern of inadequate analysis 
surrounding the expected costs, benefits, and risks of these exit efforts 
since 2004, and thus an absence of reliable information upon which to 
view their expected value and base informed exit-related investment 
decisions. Nevertheless, the program continued to invest each year in 
these biometric exit efforts, thus far having allocated about $250 million 
in funding to them. At no time, however, was any analysis produced to 
justify investing a quarter of a billion dollars to gain "experiences and 
empirical data" for such a sizeable investment. Rather, commitments 
were repeatedly made in expenditure plans for deploying an operational 
exit solution. While we recognize the value and role of demonstration 
and pilot efforts as a means for learning and informing future 
development efforts, our point is that exit-related efforts have been 
inadequately defined and justified over the last 4 years, despite being 
allocated $250 million, and the fiscal year 2007 expenditure proposes 
more of the same. 



n GAO, Information Security: Homeland Security Needs to Immediately Address 
Significant Weaknesses in Systems Supporting the US-VISIT Program, GAO-07-870 
(Washington, D.C.: July 13, 2007). 
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With respect to not recognizing the program's use of biographic exit 
procedures in the above described observation, the department is correct 
that we describe these procedures in other sections of our report but not as 
part of this observation. We do not include this information under this 
observation because its focus is on the 4 years and $250 million that has 
been devoted to biometric-based exit efforts, and the lack of definition and 
justification in the fiscal year 2007 expenditure plan for these biometric 
efforts going forward. 



We are sending copies of this report to the Chairmen and Ranking Members 
of other Senate and House committees and subcommittees that have 
authorization and oversight responsibilities for homeland security. We are 
also sending copies to the Secretary of Homeland Security, Secretary of 
State, and the Director of OMB. We will also make copies available to 
others on request. In addition, the report will be available at no charge on 
GAO's Web site at www.gao.gov. 

If you or your staffs have any questions on matters discussed in this report, 
please contact me at (202) 512-3439 or at hiter@gao.gov. Contact points for 
our Offices of Congressional Relations and Public Affairs may be found on 
the last page of this report. GAO staff who have made significant 
contributions to this report are listed in appendix III. 




Randolph C. Hite 

Director, Information Technology Architecture 
and Systems Issues 
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Introduction 



The U.S. Visitor and Immigrant Status Indicator Technology (US-VISIT) program of 
the Department of Homeland Security (DHS) is a governmentwide program to 
collect, maintain, and share information on foreign nationals who enter and exit the 
U.S. The goals of US-VISIT are to 



• enhance the security of U.S. citizens and visitors, 

• facilitate legitimate travel and trade, 

• ensure the integrity of the U.S. immigration system, and 

• protect the privacy of our visitors. 



4 
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Introduction 



The Department of Homeland Security Appropriations Act, 2007, 1 states that DHS 
may not obligate $200 million of the $362,494 million appropriated for the US-VISIT 
project until the Senate and House Committees on Appropriations receive a plan 
for expenditure that 

• meets the capital planning and investment control review requirements 
established by the Office of Management and Budget (OMB), including 
Circular A-1 1 , part 7; 2 

• complies with DHS's enterprise architecture; 

• complies with the acquisition rules, requirements, guidelines, and systems 
acquisition management practices of the federal government; 

• includes a certification by the DHS Chief Information Officer (CIO) that an 
independent verification and validation (IV&V) agent is currently under contract 
for the project; 



1 Pub. L. No. 109-295 (Oct. 4, 2006). 

2 OMB Circular A-1 1 establishes policy for planning, budgeting, acquisition, and management of federal capital assets. 
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• is reviewed and approved by the DHS Investment Review Board (IRB), the 
Secretary of Homeland Security, and OMB; 

• is reviewed by GAO; 

• includes a comprehensive US-VISIT strategic plan; and 

• includes a complete schedule for biometric exit implementation. 

On March 20, 2007, DHS submitted its fiscal year 2007 expenditure plan for 
$362,494 million to the House and Senate Appropriations Subcommittees on 
Homeland Security. 
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As agreed, our objectives were to 

1 . determine whether the US-VISIT fiscal year 2007 expenditure plan satisfies 
the legislative conditions, 

2. determine the status of our oldest open recommendations pertaining to US- 
VISIT^ and 

3. provide observations about the expenditure plan and management of the 
program. 

We conducted our work at US-VISIT offices in Arlington, Virginia, from March 2007 
through June 2007 in accordance with generally accepted government auditing 
standards. Details of our scope and methodology are described in attachment 1 . 



3 Our reports on US-VISIT expenditure plans have resulted in 28 recommendations, six of which pertain to the US-VISIT 
expenditure plan and 22 of which pertain to the US-VISIT program. The recommendations that we focused on are those 
that have been open for 4 years. For a full list of US-VISIT related GAO reports, see attachment 2. 
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Results in Brief: Objective 1 
Legislative Conditions 



Summary of Fiscal Year 2007 US-VISIT Expenditure Plan's Satisfaction of 
Legislative Conditions 



Legislative conditions 




Does not satisfy 3 


Partially satisfies" 


Satisfies 


Meets the capital planning and investment control review requirements 
established by OMB, including OMB A-1 1 , part 7 




X 




Complies with the DHS enterprise architecture 




X 




Complies with the acquisition rules, requirements, guidelines, and systems 
acquisition management practices of the federal government 




X 




Includes a certification by the DHS CIO that an IV&V agent is currently 
under contract for the program 






X 


Is reviewed and approved by the DHS IRB, the DHS Secretary, and OMB 






X 


Is reviewed by GAO 






X 


Includes a comprehensive US-VISIT strategic plan 


X 






Includes a complete schedule for biometric exit implementation 


X 







Source: GAO. 

"Does not satisfy or provide for satisfying all key aspects of the condition we reviewed. 

"Satisfies or provides for satisfying some, but not all, key aspects of the condition that we reviewed. 

"Satisfies or provides for satisfying every aspect of the condition that we reviewed. 
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Results in Brief: Objective 2 
Open Recommendations 



Summary of Status of Open Recommendations 



Open recommendations 


Partially 
complete 11 


Complete e 


1. Develop and begin implementing a system security plan and perform a privacy impact analysis and use the 
results of this analysis in near term and subsequent system acquisition decision making. 


X 




2. Develop and implement a plan for satisfying key acquisition management controls, including acquisition 
planning, solicitation, requirements management, project management, contract tracking and oversight, 
evaluation, and transition to support, and implement the controls in accordance with Software Engineering 
Institute (SEI) guidance.' 


X 




3. Ensure that expenditure plans fully disclose what system capabilities and benefits are to be delivered, by 
when, and at what cost, as well as how the program is being managed. 


X 




4. Ensure that the human capital and financial resources are provided to establish a fully functional and 
effective program office and associated management capability. 


X 




5. Clarify the operational context within which US-VISIT must operate. 


X 





Source: GAO. 



d A recommendation is partially complete when documentation indicates that some, but not all, actions needed to implement it have been taken. 
e A recommendation is complete when documentation demonstrates that it has been fully addressed. 
'This recommendation is the merger of two of our prior recommendations. 
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Summary of Status of Open Recommendations (cont'd) 



Open recommendations 


Partially 
complete" 


Complete e 


6. Determine whether proposed US-VISIT increments will produce mission value commensurate with costs 
and risks and disclose to its executive bodies and the Congress the results of these business cases and 
planned actions. a 


X 




7. Develop and implement a human capital strategy that provides for staffing open positions with individuals 
who have the requisite core competencies (knowledge, skills, and abilities). 


X 




8. Develop and implement a risk management plan and ensure that all high risks and their status are reported 
regularly to the appropriate executives. 


X 




9. Define performance standards for US-VISIT that are measurable and reflect the limitations imposed by 
relying on existing systems. 


X 





Source: GAO. 



d A recommendation is partially complete when documentation indicates that some, but not all, actions needed to implement it have been taken. 
e A recommendation is complete when documentation demonstrates that it has been fully addressed. 
sThis recommendation is the merger of three of our prior recommendations. 
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Observation Summaries 

• DHS data show that the US-VISIT prime contract is being executed according 
to cost and schedule expectations, as defined and measured by a well- 
accepted progress measurement technique known as earned value 
management. 

• DHS continues to propose disproportionately heavy investment in US-VISIT 
program management-related activities without adequate justification or full 
disclosure, to the point of spending $1 .25 on management for every dollar 
invested in new development. Without justifying and fully disclosing such a 
large investment in program management, questions persist as to whether this 
represents the best use of DHS resources. 

• DHS continues to propose spending tens of millions of dollars on exit projects 
that are not well-defined, planned, or justified on the basis of costs, benefits 
and risks. Without properly positioning itself for effectively and efficiently 
investing in an exit solution, DHS risks repeating its prior failed and costly exit 
efforts. 
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Agency Comments 



Because our outstanding US-VISIT recommendations already address all of the 
management weaknesses discussed in this briefing, we are reiterating our prior 
recommendations, and recommending that DHS report to its congressional 
authorization and appropriations committees the reasons for it not fully satisfying its 
US-VISIT expenditure plan legislative requirements and our prior 
recommendations. 

In comments on a draft of this briefing, DHS stated that the briefing was factually 
correct, that GAO's guidance provided value to the program, and that it would 
continue to address our recommendations. 
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Background 
US-VISIT Overview 



The goals of the US-VISIT program are to enhance the security of U.S. citizens and 
visitors, facilitate legitimate travel and trade, ensure the integrity of the U.S. 
immigration system, and protect the privacy of our visitors. US-VISIT is to 
accomplish these things by 

• collecting, maintaining, and sharing biometric and other information on certain 
foreign nationals who enter and exit the United States; 

• identifying foreign nationals who (1 ) have overstayed or violated the terms of 
their admission; (2) can receive, extend, or adjust their immigration status; or 
(3) should be apprehended or detained by law enforcement officials; 

• detecting fraudulent travel documents, verifying traveler identity, and 
determining traveler admissibility through the use of biometrics; and 

• facilitating information sharing and coordination within the immigration and 
border management community. 




GAP 

Accountability * Integrity * Reliability 
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Background 
US-VISIT Program Office 



Organizational Structure and Functional Responsibilities 4 



Director's Office 



Chief 
Strategist 



Enterprise 
stralegic planning 
Governance 
Policy, privacy, and 
business rules 
Organization 
change management 
Law and regulations 



Mission Operations 
Management 

■ Business process 
reengineering 

- Requirements 
development 

■ Policies and 
procedures 

- Business transition 

■ Business results 
management 

• Mission operations 
center 



Information Technology 
Management 

-Technical standards 
and biometrics 

- Enterprise architecture 
and engineering 
coordination 

- Enterprise architecture 

- Enterprise engineering 
-Transition management 

- Test and evaluation 

- Security 



Acquisition and Program 
Management 



- Acquisition strategy 

- Contracts management 

- Policies, procedures, 
and regulations 

- Program planning 

- Risk management 

- Requirements 
management 

- Quality assurance 

- Program control 

- Process improvement 

- Configuration 
management 



Facilities and 
Engineering 



■ Planning, integration, 
and execution 

■ Program/project management 

■ Environmental management 

■ Lease acquisition 
management 

■ Geographic information 
system management 

■ Traffic model analysis 

■ Interagency requirements 
development 

■ Schedule, budget, 
contracts, risk management 



Source: US-VISIT. 



Budget and Financial 
Management 



Portfolio management 
Financial management 
Performance management 



Outreach 
Management 



- Liaison 

- Communications 

- Oversight 



Implementation 
Management 



- Increment 1 

■ Increment 2 

■ Increment 3 

■ Increment 4 



Administration 
and Training 



4 See attachment 3 for more details on the current organization structure. A proposed program office reorganization is 
currently being reviewed by DHS. 
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Background 



Acquisition Strategy 

DHS originally planned to deliver biometric entry and exit capability in four major 
increments. 

• Increments 1 through 3 were to be interim, or temporary, solutions that focus 
on building interfaces among existing (legacy) systems; enhancing the 
capabilities of these systems; and deploying these systems to air, sea, and 
land ports of entry (POEs). 

• Increment 4 was to be a series of incremental releases, or mission capability 
enhancements, that were to deliver long-term strategic capabilities for meeting 
program goals. 

• In May 2004, DHS awarded an indefinite-delivery/indefinite-quantity 5 prime 
contract to Accenture and its partners for delivering future US-VISIT 
capabilities. 6 

5 An indefinite-delivery/indefinite-quantity contract provides for an indefinite quantity, within stated limits, of supplies or 
services during a fixed period of time. The government schedules deliveries or performance by placing orders with the 
contractor. 

6 Accenture's partners in this contract include, among others, Raytheon Company, the Titan Corporation, and SRA 
International, Inc. 
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Background 

Description and History of Increments 



Increment 1 

Increment 1 was intended to establish entry and exit capabilities at air and sea 
POEs. Increment 1 air and sea entry capabilities were deployed on January 5, 
2004, at 1 15 airports and 14 seaports for individuals requiring nonimmigrant visas 
to enter the United States. 7 These capabilities include collecting and matching 
biographic information, biometric data (two digital index finger scans) and a digital 
photograph for selected foreign nationals. In addition, several types of increment 1 
air and sea exit devices for collecting biometric data were piloted at 12 airports and 
2 seaports. This 3-year pilot focused on the technical feasibility of a biometric exit 
solution at air and sea POEs. The pilot ended in May 2007. 



7 On September 30, 2004, US-VISIT expanded biometric entry procedures to include individuals from visa waiver countries 
applying for admission. 
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Description and History of Increments 



Increment 2 

Increment 2 was originally to extend US-VISIT entry and exit capabilities to the 50 
busiest land POEs by December 31, 2004. Subsequently, the increment was 
divided into three parts— 2A, 2B, and 2C. 

• Increment 2A established entry capabilities at land, sea, and air POEs to 
biometrically authenticate machine-readable visas and other travel and entry 
documents issued by Department of State (State) and DHS to foreign 
nationals. 8 These capabilities were deployed to all POEs by October 23, 2005, 
except for e-Passports, which were deployed to 33 POEs by November 14, 
2006. These 33 POEs account for 97 percent of all travelers entering with e- 
Passports. 



legislation requiring the installation of software and equipment at POEs to authenticate machine-readable visas and travel 
documents and to have visa waiver countries issue e-Passports established a deadline of October 26, 2004 (Pub. L. No. 
1 07-1 73, (May 1 4, 2002)), but this date was subsequently changed (Pub. L. No. 1 08-299 (Aug. 9, 2004)) to October 26, 
2005, before DHS and State requested an extension from the congressional committee providing oversight to change the 
date to October 26, 2006. 
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Description and History of Increments 



Increment 2B extended the increment 1 entry solution to the 50 busiest land 
POEs and included redesigning the process for issuing a handwritten form I- 
94 9 to enable the electronic capture of biographic, biometric (unless the 
traveler is exempt), 10 and related travel documentation for travelers arriving in 
secondary inspection. This capability was deployed to the 50 busiest land 
POEs as of December 29, 2004. 

Increment 2C was a proof-of-concept demonstration of the feasibility of using 
passive radio frequency identification (RFID) technology 11 to record travelers' 
entry and exit via a unique ID number tag embedded in the form I-94. It was 
originally deployed at five land POEs. The demonstration was terminated in 
November 2006. 



9 Form l-94s are used to record a foreign national's entry into the United States. The form has two parts — arrival and 
departure — containing a unique number for the purposes of recording and matching the arrival and departure records 
of nonimmigrants. 

10 For example, diplomats and persons under the age of 14 or over the age of 79 are exempt from US-VISIT 
requirements. 

"Radio frequency technology relies on proximity cards and card readers. Radio frequency devices read the 
information contained on the card when the card is passed near the device. The information can contain personal 
identification of the cardholder. 
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Description and History of Increments 



Increment 3 

Increment 3 was to extend increment 2B entry capabilities to 104 land POEs by 
December 31 , 2005. It was essentially completed as of December 19, 2005. 12 

Increment 4 - Unique Identity 

All expenditure plans prior to fiscal year 2006 have described increment 4 as a yet- 
to-be-defined, strategic solution. The fiscal year 2006 plan described increment 4 
as the combination of two projects: (1) Transition to 10 fingerprints in the 
Automated Biometric Identification System (IDENT) and (2) Interoperability 
between IDENT and the Federal Bureau of Investigation's Integrated Automated 
Fingerprint Identification System (IAFIS). The fiscal year 2007 expenditure plan 
combines the two projects, with a third called enumeration (developing a single 
identifier for each individual), into a single project referred to as Unique Identity. 



12 At one POE, these capabilities were deployed by December 19, 2005, but were not fully operational until January 7, 
2006, because of a telephone company strike that prevented the installation of a high-capacity communications line. 
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Background 
Entry Systems Overview 13 



Systems Diagram of Entry Capability 




NLETS ~ ~ 




| Common to all increments 

| Increment 1 only 

| Increment 2B and 3 only 



Interface screens and peripherals for 
Increment 1 




Interface screens and peripherals for 
Increment 2B and 3 


(CBP primed ( IDENT > ('Secondary 




r Secondary^ t | ntegraled A 


f j— '— i (occurs at 


Inspector at 
POE workstation 




rtf^li T I IS| 1 secondary 
J t~~§7 inspection) 
Document Fingerprint 
reader Djgjta| reader 
camera 


Document ^ Fin g Srpr j nt |. 94 
reader Djgjta | reader printer 
camera 



Source: GAD analysis of US-VISIT data 

3 For details on the processes underlying each increment and systems supplying information to US-VISIT, see attachment 4. 
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Chronology of Expenditure Plans 



Fiscal 
year 


Date 
submitted 


Funds 
appropriated 

(in thousands) 


Funds 
requested 

(in thousands) 


Funds released 
to date 

(in thousands) 


2002 


11/15/2002 


$13,300 


$13,300 


$13,300 


2003 


06/05/2003 


$362,000 


$375,000 


$367,000 14 


2004 


01/27/2004 


$330,000 


$330,000 


$330,000 


2005 


10/19/2004 


$340,000 


$340,000 


$340,000 


2006 


08/10/2006 


$336,600 


$336,600 


$336,600 


2007 


03/20/2007 


$362,494 


$362,494 


$162,494 


Total 


$1,744,394 


$1,757,394 


$1,557,394 



Source: GAO, based on an analysis of DHS data. 



14 ln fiscal year 2003, the expenditure plan called for $375 million, but the appropriated amount was for $362 million. The 
difference of $13 million was to have been made up through authorized user fees collected by U.S. Immigration and Customs 
Enforcement. However, only $5 million in user fees was provided to the program, for a total of $367 million. 
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Background 

2007 Expenditure Plan Funding Allocation 




Areas of expenditure/Projects (see 
next slides for descriptions) 


Government Contractor 
program program 
management management 
support 

(costs in thousands) 


Development Operations and Other 
Maintenance 


Total 


Exit (air and sea) 





2,300 


5,000 


$ 7,300 


U.S. travel documents and e- 
Passports (2A PKD) 





2,700 


8,100 


10,800 


Unique Identity (10-print, 
enumeration, and IDENT/IAFIS 
interoperability) 





17,400 


76,500 


93,900 


Data integrity and biometric support 
services 





1,400 


14,100 


15,500 


Program management and 
operations 


25,700 








25,700 


Contractor program management 
support 





62,500 





62,500 


Operations and maintenance 








138,800 


138,800 


Management reserve 








8,000 


8,000 


Total 


25,700 


86,300 


103,700 138,800 8,000 


$362,500 


Source: GAO, based on an analysis of DHS data. 
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Summary of 2007 US-VISIT Expenditure Plan 



Exit: Includes planning and implementation of the chosen deployment option for the 
implementation of an exit screening program at air and sea ports. 

U.S. travel documents and e-Passports: Includes development, testing, and deployment of 
public key directory (PKD) validation services 15 for e-Passport readers. 

Unique Identity: Includes implementing the 10-fingerprint scanners and the interim data 
sharing model (iDSM); 16 related systems interoperability; associated facilities and engineering 
support; and systems architecture, engineering and integration, and design. 

Data Integrity and Biometric Support Services: Includes providing qualified leads and 
actionable information to the U.S. Customs and Border Protection Service and U.S. 
Immigration and Customs Enforcement; establishment of lookout records for visa denials and 
adverse actions by border officials. 

Program management and operations : Includes the government salaries and benefits for 
115 government program office positions necessary to manage and operate the program, 
including relocation costs, personnel security checks, and training. 



15 These services verify and authenticate the origins of e-passports and traveler's identities. 

16 The iDSM is a prototype of new functionality allowing US-VISIT and the Federal Bureau of 
Investigation to share biometric and associated biographic information. It was deployed in September 2006. 
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Summary of 2007 US-VISIT Expenditure Plan 



Contractor services-program management: Includes the program office support 
contractors. 

Operations and maintenance: Includes operations and maintenance of Increment 
1, 2, and 3 systems, including technical, application, system, network, and 
infrastructure support costs. 

Program management reserve: Includes funds allocated to accommodate 
unknown timing and magnitude of risks. 
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US-VISIT Project Life Cycle Management 



US-VISIT has adopted its own methodology for managing its projects throughout 
their respective life cycles. This methodology is known as the US-VISIT Enterprise 
Life Cycle Methodology (ELCM). Within the ELCM is a component methodology for 
managing software- based system projects known as the US-VISIT Delivery 
Methodology (UDM). According to version 4.3 of UDM (April 2007), it 

• Applies to new development projects and existing, operational projects. 

• Specifies the documentation and reviews that should take place within 
each of the methodology's six phases: plan, analyze, design, build, test, 
and deploy. 

• Allows for tailoring to meet the needs and requirements of individual 
projects, in which specific activities, deliverables, and milestone reviews 
that are appropriate for the scope, risk, and context of the project can be 
set for each phase of the project. 

The chart on the following page shows where US-VISIT projects are in terms of the 
life cycle methodology. 
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Background: US-VISIT Project Status 
(New Development and Operational) 



Exit* 



IDENT/IAFIS 
Interoperability 
IOC** 



10-Print 
Pilot 



Unique Identity 



Public Key 
Directory 



Enumeration 
Services 



Increments 
1,2, and 3 



IDENT/IAFIS 
Interoperability 
iDSM 



Plan 


Analyze 


Design 


Build 


Test 


Deploy 


Operational 














r 








UDM Gate Reviews 







New Development Work Pattern 

Source: GAO, based on an analysis of DHS data. 

* Exit project in pre-planning; not within the UDM Technology Workstream 
" IOC: Initial Operational Capability 
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Background 
US-VISIT Task Orders 




US-VISIT Prime Contract Task Orders' Status and Description According to Area of 

Expenditure/Project 


Area of 

Expenditure/ Project 


Task Order Name 


Start 


Status/ 

Completion 

Date 


Description 


Exit 


Exit pilot beta 
survey data 
collection 


August 
2004 


Completed 
May 2005 


Pilot, test, and evaluate three exit alternatives (kiosk, 
mobile, hybrid) at selected international ports of 
departure 




Increment 1B 


February 
2005 


Completed 
Dec 2006 


Air and Sea Exit Deployment — provide services for 
national deployment of the 1 B exit solution as 
determined from results of 1B pilots 




Increment 2C 


September 
2004 


Ongoing" 


Planning and implementation of the US-VISIT 
Increment 2C Proof of Concept Project 


U.S. Travel 
Documents and e- 
Passports 


International 
Registered 
Traveler IPT 


February 
2005 


Completed 
Aug 2005 


Support for SecurePass IPT, an integrated 
international registered traveler program designed to 
enhance national security and improve efficiency 




Increment 2A - 
PKD 


March 2005 Ongoing 


Development and implementation of PKD Validation 
Service to allow for biometric comparison and 
authentication of US visas and other travel documents 




Material support to 
Increment 2A - 
PKD 


March 2007 Ongoing 


Purchase of materials, including hardware and 
software, to meet requirements of the PKD validation 
services project 


Source: GAO, based on an analysis of DHS data. 


increment 2C was terminated in November 2006. This task order will close once shutdown activities are complete. 
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Background 
US-VISIT Task Orders 




US-VISIT Prime Contract Task Orders' Status and Description According to Area of 

Expenditure/Project 


Area of 

Expenditure/ 

Project 


Task Order Name 


Start 


Status/ 

Completion 

Date 


Description 


Unique Identity 


IT solutions delivery 


October 
2004 


Ongoing 


Planning, development and implementation of the 
Biometric Identification Systems Project, now 
referred to as Unique Identity (IDENT/IAFIS 
integration and IDENT 10-print) 




Integration support 
to the Unique ID 
project office 


November 
2006 


Ongoing 


Program and technical integration support services 




Material support to 
task order 007 


April 2007 


Ongoing 


Material, maintenance licenses, warranty, etc. in 
support of task 007 IT solutions 


Data Integrity and 
Biometric Support 


Data management 
support 


August 
2004 


Ongoing 


Support Program Office Data Management Branch — 
identify errors, omissions, and trends in data; 
recommend corrective actions; provide refined data 
to other offices (e.g., U.S. Immigration and Customs 
Enforcement) to support criminal investigations, 
lookout creation, and informed 
managerial/operational decision making 


Source: GAO, based on an analysis of DHS data. 
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Background 
US-VISIT Task Orders 




US-VISIT Prime Contract Task Orders' Status and Description According to Area of 

Expend itu re/Project 


Area of 

Expenditure/ 

Project 


Task Order Name 


Start 


Status/ 

Completion 

Date 


Description 


Contractor Support - 

Program 

Management 


Program level 
management 


July 2004 


Ongoing 


Comprehensive program and project 
management methodology, policies, processes, 
procedures, and support to program office 




Strategic Plan 


October 
2004 


Completed 
March 2005 


Create and document a comprehensive strategic 
plan that describes necessary activities to 
integrate US-VISIT processes and systems 




Blueprint 


May 
2005 


Completed 
Nov 2006 


Create a US-VISIT blueprint that describes a 
comprehensive approach to achieving the overall 
vision for US-VISIT's immigration and border 
management enterprise 




Program level 
engineering 


September 
2004 


Ongoing 


Develop and maintain the standards, guidance, 
architectures, performance models, and other 
engineering processes necessary to support the 
development of functionality 




Development and 
support of program 
planning activities 


November 
2006 


Ongoing 


Support the development and maintenance of 
program planning artifacts and analyze phases of 
project execution and planning, updating, and 
implementing the US-VISIT Strategic Plan 


Source: GAO, based on an analysis of DHS data. 
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Background 
US-VISIT Task Orders 



US-VISIT Prime Contract Task Orders' Status and Description According to Area of 

Expenditure/Project 


Area of 

Expenditure/ 

Project 


Task Order Name 


Start 


Status/ 

Completion 

Date 


Description 


Operations and 
Maintenance 


Facilities and 
infrastructure 


March 
2005 


Ongoing 


Provisioning of office/facility space, furniture, 
workstations, telecommunications and other 
infrastructure to support contractor activities 




Operations and 
maintenance 


August 
2006 


Ongoing 


Management of operations and maintenance activities 
for deployed capabilities 



Source: GAO, based on an analysis of DHS data. 
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Overview of DHS Investment Management Process 



DHS recently changed its investment management process. Prior to 2006, DHS IT 
programs, including US-VISIT, were subject to key decision point reviews. 
According to DHS, this approach was adopted from the Department of Defense's 
investment management process, and while well-suited for the acquisition of fighter 
jets, ships, etc., was not well-suited for acquisition of IT systems. 

Accordingly, DHS drafted an Investment Review Process guide that adopts an 
approach using milestone decision points (MDP) linking five life cycle phases: (1) 
project initiation, (2) concept and technology development, (3) capability 
development and demonstration, (4) production and deployment, and (5) 
operations and support. According to DHS, this guide provides more flexibility, 
allowing DHS to tailor the number of phases and milestone reviews based on risk 
and visibility. MDP reviews can be performed concurrently with an expenditure plan 
review. The draft guide was issued in March 2006; as of May 2007, the draft guide 
had not been approved. 
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Overview of DHS Investment Control Process 



Under the draft guide, a program sends an investment review request to the 
Integrated Project Review Team (IPRT) prior to the initial MDP. The IPRT assigns 
the program to a portfolio, and schedules the program for a Joint Requirements 
Council and/or IRB review. According to the official from DHS's Program Analysis 
and Evaluation Directorate who is responsible for overseeing program adherence 
to the investment control process, it is being used for all DHS programs. 
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Condition 1 



The fiscal year 2007 US-VISIT expenditure plan, related program 
documentation, and program officials' statements satisfy (in part or total) 
most, but not all, of the legislative conditions. 

Condition 1. The plan, including related program documentation and program 
officials' statements, satisfies or partially satisfies all aspects of the capital 
planning and investment control review requirements established by OMB, 
including OMB Circular A-1 1 , part 7. 18 

The table that follows provides examples of the results of our analysis, including 
areas in which the A-1 1 requirements have been and have not been fully satisfied. 
Given that the A-1 1 requirements are intended to minimize a program's exposure 
to risk, permit performance measurement and oversight, and promote 
accountability, any areas in which the program falls short of the requirements 
reduce the chances of delivering cost-effective capabilities and measurable results 
on time and within budget. 



18 OMB Circular A-1 1 , part 7 establishes policy for planning, budgeting, acquisition, and management of federal capital 
assets. 
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Objective 1 : Legislative Conditions 

Condition 1 



Examples of A-11 Conditions 



Results of our analysis 



Provide a brief description of the 
investment and its status in the capital 
planning and investment control review, 
including major assumptions made 
about the investment. 


The expenditure plan and fiscal year 2007 Exhibit 300 provide a description of 
US-VISIT but do not include its status in the DHS capital planning and 
investment control process. According to program officials, the program was re- 
evaluated under the MDP process defined in the draft DHS investment review 
process guide. On February 7, 2007, it passed its first MDP and is now 
undergoing its second MDP review. Also, the expenditure plan and related 
program documents identify a number of program assumptions. Examples of 
assumptions cited in the fiscal year 2007 Exhibit 300 submission include (1) 
existing facilities at land POEs will not support the proposed incorporation of 
biometric devices without investment in equipment and infrastructure, and (2) 
improved exit processes are needed to collect accurate data on departures. 


Provide a summary of the investment's 
risk assessment, including how 19 OMB- 
identified risk elements are being 
addressed. 


The US-VISIT enterprise risk assessment was completed in December 2005. It 
identified a number of risks, their likelihood of occurrence, their potential impact, 
and recommended controls to address each risk. The most recent version of the 
risk management plan was approved in February 2007. Under the processes 
defined in this plan, risks are to be monitored and reviewed by program 
management and stakeholders through integrated project teams. All identified 
risks are to be logged in the risk database and are to be individually reviewed by 
the Director. Both the Exhibit 300 and the Risk Management Plan address the 
19 OMB-identified risk elements. 



Source: OMB criteria and GAO analysis of DHS documentation. 
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Condition 1 



Examples of A-11 Conditions 



Results of our analysis 



Demonstrate that the investment is 
included in the agency's enterprise 
architecture and capital planning and 
investment control process. Illustrate 
agency's capability to align the 
investment to the Federal Enterprise 
Architecture (FEA). 



The plan does not describe US-VISIT relative to the DHS enterprise architecture 
(EA) or the capital planning and investment control process. Moreover, the last 
review of program compliance with the DHS EA was in August 2004, and since 
then US-VISIT and the DHS architecture have changed significantly. With regard 
to the FEA, the fiscal year 2007 OMB Exhibit 300 budget submission contains 
tables that satisfy OMB's requirement for listing the various aspects of the FEA 
that the program supports. In February 2007, the program completed a MDP1 
review, which program officials told us revalidated the program. The program 
has since submitted to the Enterprise Architecture Center of Excellence its 
MDP2 review package. US-VISIT's architecture alignment is further discussed 
under the legislative condition 2 section of this briefing. 



Provide a description of an investment's 
security and privacy issues. Summarize 
the agency's ability to manage security at 
the system or application level. 
Demonstrate compliance with the 
certification and accreditation processes 
as well as the mitigation of IT security 
weaknesses. 



As we previously reported, US-VISIT's 2004 security plan and privacy impact 
assessments generally satisfied OMB and the National Institute of Standards 
and Technology (NIST) security guidance. Further, the expenditure plan states 
that all of the US-VISIT component systems have been certified and accredited 
and given authority to operate. Also, the program office developed a security 
strategy in December 2006 that was based on the 2005 risk assessment. 
However, this security strategy was limited to the systems under US-VISIT 
control and does not mention, for example, the Treasury Enforcement 
Communications System (TECS) which provides biographic information to US- 
VISIT and is owned by Customs and Border Protection. According to NIST 
Special Publication 800-18, a comprehensive security strategy should include all 
component systems. We have ongoing work to evaluate the quality of US-VISIT 
security documents and practices. 



Source: OMB criteria and GAO analysis of DHS documentation. 
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Objective 1 : Legislative Conditions 

Condition 1 


Examples of A-11 Conditions 


Results of our analysis 




Provide a summary of the investment's 
status in accomplishing baseline cost 
and schedule goals through the use of an 
earned value management (EVM) 
system or operational analysis, 
depending on the life-cycle stage. 


The program is currently relying on the prime contractor's EVM system to 
manage the prime contractor's progress against cost and schedule goals. This 
EVM system was self-certified by the prime contractor in December 2003 as 
meeting established standards, but has yet to be verified by the agency or an 
independent representative of the agency as required by OMB. In December 
2006, the program office contracted with the Defense Contract Management 
Agency to conduct this verification, but it will not be completed until August 2008. 
Finally, while the fiscal year 2006 expenditure plan stated that all US-VISIT 
contractors will perform EVM and program officials stated that this will be 
performed in accordance with DHS guidelines for all contracts after October 1 , 
2006, the fiscal year 2007 expenditure plan does not continue to make this 
commitment. 




Source: OMB criteria and GAO analysis of DHS documentation 
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Condition 2. The plan, including related program documentation and program 
officials' statements, partially provides for satisfying the condition that it comply 
with DHS's EA. 

According to federal guidelines and best practices, investment compliance with an 
EA is essential for ensuring that an organization's investment in new and existing 
systems is defined, designed, and implemented in a way that promotes integration 
and interoperability and minimizes overlap and redundancy, thus optimizing 
enterprisewide efficiency and effectiveness. A compliance determination is not a 
one-time event that occurs when an investment begins, but is, rather, a series of 
determinations that occurs throughout an investment's life cycle as changes to both 
the EA and the investment's architecture are made. 

The DHS Enterprise Architecture Board, supported by the Enterprise Architecture 
Center of Excellence, is responsible for ensuring that projects demonstrate 
adequate technical and strategic compliance with the department's EA. 
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The DHS Enterprise Architecture Board has not conducted a detailed review of US- 
VISIT architecture compliance in more than 2 years. In August 2004, the board 
reviewed US-VISIT's architectural alignment with some aspects of the DHS EA, 
and it recommended that US-VISIT be given conditional approval to proceed. 19 
However, we reported 20 in February 2005 that this architectural compliance was 
limited because: 

• DHS' determination was based on version 1 .0 of the EA, which was missing, in 
part or in whole, all the key elements expected in a well-defined architecture, 
such as a description of business processes, information flows among these 
processes, and security rules associated with these information flows. 

• DHS did not provide sufficient documentation to allow us to understand the 
methodology and criteria for architecture compliance or to verify analysis 
justifying the conditional approval. 



19 The condition was that the program office resubmit documentation upon approval of the US-VISIT strategic plan, which 
at the time was to be January 2005. 

20 GAO, Homeland Security: Some Progress Made, but Many Challenges Remain on U.S. Visitor and Immigrant Status 
Indicator Technology Program, GAO-05-202 (Washington D.C.: Feb. 23, 2005). 
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Moreover, the next architecture alignment review did not occur until more than 2 
years later, in November 2006. This review was part of US-VISIT's MDP1 
revalidation review, and it focused on compliance with 2 components of the DHS 
EA 2006. In February 2007 US-VISIT received MDP1 approval with the stipulation 
that the program undergo a MDP2 review within 60 days. 

This February 2007 MDP1 alignment determination does not fully satisfy the 
legislative condition for several reasons. 

• The review was based on US-VISIT documentation that was not current. In 
particular, the US-VISIT Mission Needs Statement 21 did not reflect recent 
changes to the program, such as the I DENT/I AFIS interoperability and 
expansion of IDENT to collect 10, rather than 2, prints. 

• The review assessed compliance with only general aspects of the DHS EA, 
such as the investment portfolio, the architecture principles, and the business 
model. It did not include US-VISIT's compliance with other relevant aspects of 
the EA, such as the data and information security components. 



Department of Homeland Security, US-VISIT Mission Needs Statement (Washington, D.C.: Nov. 20, 2003). 
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• The review was based on DHS EA 2006. We reported 22 in May 2007 that this 
version was missing important architectural content and did not address most 
of the comments made by DHS stakeholders. As a result, we concluded that it 
was not complete, consistent, understandable, or usable. 

Program officials told us that they submitted documentation for a more 
comprehensive MDP2 alignment review to the Enterprise Architecture Centers of 
Excellence in April 2007. They also stated that they have mitigated the risks of US- 
VISIT being misaligned with the DHS EA through other means. These included: 

• submitting the technical baseline of existing hardware and software to the EA 
Center for Excellence for inclusion in the DHS EA; 

• submitting technology insertion requests for new equipment planned for US- 
VISIT, such as RFID technology, to the EA Center of Excellence for review and 
inclusion in the DHS EA, and 

• relating US-VISIT capabilities with the business and services models of the 
FEA reference models. 

22 GAO, Homeland Security: DHS Enterprise Architecture Continues to Evolve, But Improvements Needed, GAO-07-564 
(Washington D.C.: May 9, 2007). 
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Notwithstanding these steps, DHS has yet to demonstrate, through verifiable 
documentation and methodologically-based analysis, that US-VISIT is aligned with 
a well-defined DHS EA. As a result, the program will remain at risk of being 
defined and implemented in a way that does not support optimized departmentwide 
operations, performance, and achievement of strategic goals and outcomes. 
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Condition 3. The plan, including related program documentation and program 
officials' statements, partially provides for satisfying the condition that it comply 
with the acquisition rules, requirements, guidelines, and systems acquisition 
management practices of the federal government. 23 

Federal IT acquisition requirements, guidelines, and management practices provide 
an acquisition management framework that is based on the use of rigorous and 
disciplined processes for planning, managing, and controlling the acquisition of IT 
resources. 24 Effective acquisition management processes are embodied in 
published best practices models, such as the Software Engineering Institute (SEI) 
Capability Maturity Models®. These models explicitly define, among other things, 
acquisition process management controls that are recognized hallmarks of 
successful organizations and that, if implemented effectively, can greatly increase 
the chances of acquiring software-intensive systems that provide promised 
capabilities on time and within budget. 



23 We did not review the program's compliance with the Federal Acquisition Regulation. 

24 See, for example, the Clinger-Cohen Act of 1 996, Pub. L. No. 1 04-1 06, (Feb. 1 0, 1 996) and OMB Circular A-1 30. 
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We reported in September 2003 25 that the program office had not defined key 
acquisition management controls to support the acquisition of US-VISIT, and 
therefore its efforts to acquire, deploy, operate, and maintain system capabilities 
were at risk of not meeting system requirements and benefit expectations on time 
and within budget. 

Subsequently, the program adopted SEI Capability Maturity Model Integration 26 
(CMMI®) to guide its efforts to employ effective acquisition management practices 
and approved an acquisition management process improvement plan dated May 
16, 2005. One of the goals of this plan was to achieve a CMMI® level 2 capability 
rating from SEI by October 2006. 



25 GAO, Homeland Security: Risks Facing Key Border and Transportation Security Program Need to be Addressed, GAO-03- 
1083 (Washington D.C.: Sept. 19, 2003). 

26 The CMMI® ranks organizational maturity according to five levels. Maturity levels 2 through 5 require verifiable existence and 
use of certain key process areas. 
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In September 2005, DHS's initial assessment of 13 US-VISIT key acquisition 
process areas revealed a number of weaknesses. In light of this, US-VISIT updated 
its acquisition management process improvement plan, narrowing the scope of the 
process improvement activities to six of the CMMI process areas-project planning, 
project monitoring and control, requirements management, risk management, 
configuration management, and product and process quality assurance — and 
focusing on two US-VISIT projects — U.S. Travel Documents-ePassports (formerly 
Increment 2A) and Unique Identity. Under the updated plan, the goal for an 
external CMMI evaluation remained October 2006. 

During 2006, the program conducted periodic assessments in the six key process 
areas and reported that while it had increased the number of fully and largely 
implemented practices within these six areas, sufficient progress had not been 
made to pass an external evaluation in October 2006. Some of the weaknesses 
reported were: 
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• Insufficient definition of processes and preparation of supporting documents for 
areas such as systems development, budget and finance, facilities, and 
strategic planning (e.g., product work flow among organizational units was 
unclear and not documented, and roles, responsibilities, and assignments for 
performing work tasks and activities were not adequately defined and 
documented). 

• Lack of policies, process descriptions, and templates for requirements 
development and management. 

• Lack of definition of roles, responsibilities, work products, expectations, 
resources, and accountability of external stakeholder organizations. 

The program has since revised its process improvement plan. Among other things, 
the revised plan delays the date for having an external CMMI evaluation from 
October 2006 to November 2007. At the same time, it has continued to address the 
weaknesses discovered during earlier internal assessments. Based on its latest 
periodic assessment (March 2007), the program office reports that 83 percent of 
key practices are now either fully or largely implemented, up from 26 percent in 
August 2005 (see chart on next slide). 
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Status of US-VISIT Implementation of 113 Key Practices Associated with Six CMMI Key Process 

Areas 




□ Implemented Practices 

■ Largely Implemented Practices 

□ Partially Implemented Practices 
m Not Implemented Practices 



August 2005 June 2006 

Source: GAO, based on an analysis of DHS data. 



November 2006 
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In addition, the fiscal year 2007 expenditure plan reported progress in a seventh 
key process area not included in the program's CMMI improvement efforts — 
contract tracking and oversight. 

• In 2006, we reported 27 that the program office had not effectively overseen 
US-VISIT related contract work performed on its behalf by other DHS and 
non-DHS agencies, and these agencies did not always establish and 
implement the full range of controls associated with effective management 
of contractor activities. Further, neither the program office nor the other 
agencies had implemented effective financial controls. 28 

• Since this report was issued, the program office has instituted the use of 
oversight plans for new task order and contract awards and is developing a 
set of requirements for reimbursable contracts that address our 
recommendations to enhance the probability of successful performance and 
reduce risks. 



27 GAO, Homeland Security: Contract Management and Oversight for Visitor and Immigrant Status Program Need to 
Be Strengthened, GAO-06-404 (Washington, D.C.: June 9, 2006). 

28 Financial controls include practices to provide accurate, reliable, and timely accounting for billings and 
expenditures. 
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Notwithstanding this reported progress in implementing acquisition management 
process areas, the program's acquisition management improvement efforts are 
focused on only seven acquisition management process areas. Other areas are 
also relevant to the program and need to be addressed. The status of the program 
office's efforts to implement our recommendations aimed at implementing the full 
range of acquisition management controls is discussed later in this briefing. 
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Condition 4. The plan satisfies the condition that it include a certification by the 
DHS CIO that an IV&V agent is currently under contract for the project. 

On February 21 , 2007, the DHS Deputy CIO certified in writing that two 
independent verification and validation agents 29 were under contract for US-VISIT 
and that these agents met the requirements and standards for an IV&V agent. 



29 One IV&V contractor was obtained to assess organizational program risk. The second IV&V contractor was obtained to 
independently assess system testing activities. 
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Condition 5. The plan, including related program documentation and program 
officials' statements, satisfies the requirement that it be reviewed and approved by 
the DHS Investment Review Board, the Secretary of Homeland Security, and OMB. 

• The DHS Deputy Secretary, who is also the chair of the Investment Review 
Board, approved the fiscal year 2007 expenditure plan, and 



OMB approved the plan on March 20, 2007. 
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Condition 6. The plan satisfies the requirement that it be reviewed by GAO. 
Our review was completed on June 15, 2007. 
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Condition 7. The plan does not satisfy the condition that it include a 
comprehensive US-VISIT strategic plan. 

Strategic plans are the starting point and basic underpinning for results-oriented 
management. Such plans articulate the fundamental mission of an organization, or 
program, and lay out its long-term goals and objectives for implementing that 
mission, including the resources needed to reach these goals. Federal legislation 
and guidelines 30 require that agencies' strategic plans include six key elements: (1) 
a comprehensive mission statement, (2) strategic goals and objectives, (3) 
strategies and the various resources needed to achieve the goals and objectives, 
(4) a description of the relationship between the strategic goals and objectives and 
annual performance goals, (5) an identification of key external factors that could 
significantly affect the achievement of strategic goals, and (6) a description of how 
program evaluations were used to develop or revise the goals and a schedule for 
future evaluations. As we have previously reported, 31 (cont'd) 

30 Government Performance and Results Act of 1993, Pub. L. No. 103-62 (Aug. 3, 1993) and OMB Circular A-11, Preparation, 
Submission, and Execution of the Budget, (June 30, 2006) provide guidance in this instance since the US-VISIT strategic 
plan is not an agencywide strategic plan. 

31 GAO, Managing for Results: Critical Issues for Improving Federal Agencies' Strategic Plans, GAO/GGD-97-1 80 
(Washington, D.C.: Sep. 16, 1997). 
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strategic plans should also include a discussion of management challenges facing 
the program that may threaten its ability to meet long-term, strategic goals and 
efforts to coordinate among cross-cutting programs, activities, or functions. 

While the US-VISIT program is not required to explicitly follow these guidelines, the 
guidelines nonetheless provide a framework for effectively developing strategic 
plans and the basis for program accountability. However, the US-VISIT strategic 
plan 32 does not include any of these key elements associated with effective 
strategic plans. In summary, the plan describes eight desired program capabilities 33 
and provides an implementation strategy that describes how each of these 
capabilities will be delivered over a multi-year investment horizon through three 
categories of activities - Foundation, Transformation, and Globalization. 



32 The fiscal year 2007 expenditure plan contains an appendix titled "Comprehensive Strategic Plan for US-VISIT," which the 
US-VISIT Program Director told us is the program's approved strategic plan. 

33 The eight capabilities are: (1) identify a person, (2) assess risk and eligibility, (3) record entry, exit, and status, 

(4) take law enforcement actions, (5) communicate with external entities, (6) manage knowledge, information, and intelligence, 
(7) manage the immigration and border management enterprise and (8) infrastructure development. In an earlier section of the 
strategic plan, only seven of the capabilities are discussed, omitting "infrastructure development." 



53 



Page 64 



GAO-07-1065 Homeland Security 



Appendix I 
Briefing Slides 



Q Q Objective 1 : Legislative Conditions 



Accountability * Integrity * Reliability 



Condition 7 



Foundation activities, which are described as modernization, enhancement, 
and expansion of capabilities and technologies, as well as leveraging current 
capabilities and technologies. 

Transformation activities, which are described as the implementation of 
processes and technologies that cut across the particular functions and entities 
that make up the immigration and border management system. 

Globalization activities, which are described as the coordination and sharing of 
information with foreign governments to improve the ability to detect and 
prevent potential threats from either entering the United States or remaining 
here. 
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However, the plan does not provide time frames for the completion of these broad 
investment categories. The plan also does not include strategic goals and 
objectives or strategies for achieving goals and objectives. As a result, it is not 
clear what program capabilities will be delivered when and whether they are 
aligned with the program's goals and objectives. Further, the plan does not include 
a comprehensive mission statement, describe the relationships between strategic 
goals and annual performance goals, the external factors that could affect the 
program, and the program evaluations used to establish or revise the goals. 

In addition, the US-VISIT strategic plan does not address management challenges 
facing the program, such as those addressed in our past recommendations. And 
although the strategic plan identifies the ability to communicate with external 
stakeholders as a desired capability, the plan does not provide any evidence of 
such past communication or explain the relationship between US-VISIT and other 
organizations within the border and immigration management enterprise. For 
example, it does not describe the relationship between US-VISIT and DHS's 
Western Hemisphere Travel Initiative, even though both programs involve the entry 
of certain foreign individuals at U.S. POEs. 
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While the strategic plan is missing important content, other related program 
documentation includes some of this content. For example, the fiscal year 2007 
expenditure plan and the US-VISIT Mission Needs Statement state the program's 
mission and goals. In addition, the US-VISIT Program Blueprint describes eight 
core capabilities, which are very similar to those described in the strategic plan, 
and maps those capabilities to four business outcomes. However, the Blueprint 
does not include strategic goals, so it is not clear whether the business outcomes 
are aligned with US-VISIT's goals. Further, the outcomes are not described in the 
strategic plan. 

The Program Blueprint also notes that responsibilities for immigration and border 
management are spread across multiple agencies and departments. However, it 
does not provide clear delineations of these organizations' respective tasks, 
services, or efforts. Further, the strategic plan does not cite or describe any 
coordination efforts to address this situation. Additionally, the Blueprint identifies 
border and immigration management enterprise stakeholders and identifies, for 
each stakeholder, needs and priorities, challenges, how the business outcomes will 
benefit the stakeholder, and stakeholder constraints that will affect business 
outcomes. 
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This means that while some of the content of a US-VISIT strategic plan is captured 
in a fragmented fashion across a range of documents, the full range of content 
needed to define an authoritative strategic direction, focus, and roadmap for the 
program that is approved by departmental leadership is missing. Without it, DHS 
reduces the chances that the US-VISIT program will achieve desired results and 
succeed in achieving the program's goals and objectives. 
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Condition 8. The plan, including related program documentation and program 
officials' statements, does not satisfy the condition that it include a complete 
schedule for biometric exit implementation. 

The fiscal year 2007 expenditure plan addresses DHS' near-term deployment plans 
for biometric exit capabilities at air and sea POEs. Further, it notes the absence of 
near-term biometric options for land POEs and mentions only a possible near-term, 
interim option that is being considered. In addition, the expenditure plan addresses 
all three locations of US-VISIT technology (air, sea, and land). However, the 
expenditure plan's discussion of exit capabilities is conceptual and general and 
does not contain a schedule for the full implementation of US-VISIT exit capabilities 
at air, sea and land POEs. 
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Air 

The plan states that DHS plans to incorporate air exit into the airline check-in 
process. However, the plan does not provide any details as to what capabilities will 
be acquired and deployed when and at what cost. Instead, it states that DHS plans 
to integrate US-VISIT's efforts with CBP's pre-departure Advance Passenger 
Information System 34 and TSA's Secure Flight 35 for purposes of partnering with the 
airline industry. Further, the plan does not include any schedule of air exit 
implementation activities, but rather, simply states that DHS plans to initiate efforts 
on its air exit solution at an unspecified time during the third quarter of fiscal year 
2007, and will fully deploy the air exit solution by an unspecified time during 
calendar year 2008. 



34 The Advanced Passenger Information System captures arrival and departure manifest information provided by air and 
sea carriers. 

35 Secure Flight is a program being developed by TSA to prescreen passengers - or match passenger information against 
terrorist watch lists to identify individuals who should undergo additional security scrutiny - for domestic flights. 
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On June 1 1 , 2007, DHS provided us with a schedule for air exit, which the 
department characterized as high-level. For example, it does not include the 
underlying details supporting the timelines for such areas of activity as system 
design, system testing, and system development. However, program officials told 
us that greater detail existed to support the schedule, but that because this had not 
been approved by DHS, could not be provided. The schedule provided indicates 
that the air exit solution will be fully deployed by June 2009, which is at least six 
months after the deployment date provided in the expenditure plan. 

Sea 

The plan states that DHS will initiate planning efforts on the sea exit deployment at 
an unspecified time during fiscal year 2007, and that it will emulate the technology 
and operational plans used for the air exit solution. However, the plan does not 
provide any details about how, when, and at what cost the sea exit solution will be 
accomplished, or provide a completion date or any interim dates. 



36 GAO, Border Security: US-VISIT Program Faces Strategic, Operational, and Technological Challenges at Land Ports of 
Entry, GAO-07-248 (Washington, D.C.: Dec. 6, 2006). 
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Land 

Consistent with our December 2006 report, 36 the plan states that implementing a 
biometric exit solution at land POEs is significantly more complicated and costly 
than air or sea exit because it would require a costly expansion of existing exit 
capacity, including physical infrastructure, land acquisition, and staffing. Because of 
this, the plan concludes that land exit cannot be practically based on biometric 
validation in the short term. In lieu of biometric-based exit at land POEs in the near 
term, the plan states that DHS will initially seek to match entry and exit records 
using biographic information in instances where departure information is not 
collected from an individual who leaves the country, as in the case of an individual 
who does not submit their Form I-94 37 upon departure. 



36 GAO, Border Security: US-VISIT Program Faces Strategic, Operational, and Technological Challenges at Land Ports of 
Entry, GAO-07-248 (Washington, D.C.: Dec. 6, 2006). 

37 l-94 forms are used to track foreign nationals' arrivals and departures. Each form is divided into two parts: an entry portion 
and an exit portion. Each form contains a unique number printed on both portions of the form for the purposes of subsequent 
recording and matching the arrival and departure records for nonimmigrants. 
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However, the plan does not specify what this near-term focus entails and how, 
when, and at what cost it will be accomplished. Rather, it says that DHS has not yet 
determined a time frame or any cost estimates for the initiation of a land exit 
solution. 
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Recommendation 1: Develop and begin implementing a system security plan and 
perform a privacy impact analysis and use the results of this analysis in near-term 
and subsequent system acquisition decision-making. 

Status: Partially complete 

A system security plan and privacy impact assessment are important to 
understanding system requirements and ensuring that the proper safeguards are in 
place to protect system data, resources, and individuals' privacy. Both best 
practices and federal guidance advocate their development and use. 

System Security Plan 

The purpose of a system security plan is to define the steps that will be taken (i.e., 
security controls that will be implemented) to cost-effectively address known 
security risks. We reported 38 in 2005 that the program office developed a US-VISIT 
system security plan that was generally consistent with federal practice. However, 
we also reported at that time that the plan was not based on a security risk 
assessment. 

38 GAO-05-202. 
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In December 2005, the program office developed a US-VISIT risk assessment that 
addressed the risk elements required by OMB, including having an inventory of 
known risks, their probability of occurrence and impact, and recommended controls 
to address them. At that time, program officials told us that they intended to 
develop a US-VISIT security strategy that reflected the results of this risk 
assessment. 

In December 2006, the program office developed a US-VISIT security strategy and 
has since begun implementing it. For example, it has conducted security 
evaluations of commercial off-the-shelf software products before adding them to 
the program's technical baseline. However, the scope of this strategy does not 
extend to all the systems that comprise US-VISIT. For example, the Treasury 
Enforcement Communications System (TECS), an integral component of US- 
VISIT, is not under the US-VISIT inventory of systems because it is owned by 
Customs and Border Protection. 
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The fact that the US-VISIT security strategy's scope is limited to only systems that 
the program office owns is not consistent with our recommendation. We have 
ongoing work to evaluate the quality of US-VISIT security documents and 
practices, including TECS implementation of security controls. 

Privacy Impact Assessment 

The purpose of a privacy impact assessment is to ensure handling of information 
conforms to applicable legal, regulatory, and policy requirements regarding privacy, 
determine the risks and effects of collecting, maintaining, and disseminating 
information in identifiable form 39 in an electronic information system, and examine 
and evaluate protections and alternative processes for handling information to 
mitigate potential privacy risks. 



Information in a form that permits individuals to be identified. 
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In February 2006, we reported 40 that the program office had developed and 
periodically updated a privacy impact assessment. However, we also reported that 
system documentation only partially addressed privacy. Since then, program 
officials told us that they have taken steps to ensure that the impact assessment's 
results are used in deciding and documenting the content of US-VISIT projects. For 
example, they said that privacy office representatives are included in key project 
definition, design, and development meetings to ensure that privacy issues are 
addressed and that key system documentation now reflects privacy-based needs. 

Furthermore, US-VISIT privacy officials recently conducted an audit of system 
documentation to ensure that privacy is being addressed. They found only a single 
instance where privacy should have been addressed in system documentation but 
was not. Finally, our review of recently issued system documentation shows 
privacy concerns are being addressed. 



40 GAO, Homeland Security: Recommendations to Improve Management of Key Border Security Program Need to Be 
Implemented, GAO-06-296 (Washington, D.C.: February 14, 2006). 
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Recommendation 2: Develop and implement a plan for satisfying key acquisition 
management controls, including acquisition planning, solicitation, requirements 
management, project management, contract tracking and oversight, evaluation, 
and transition to support, and implement the controls in accordance with Software 
Engineering Institute (SEI) guidance. 41 

Status: Partially complete 

Effective acquisition management controls are important contributors to the 
success of programs like US-VISIT. SEI has defined a range of acquisition 
management controls as part of its capability maturity models, which, when 
properly implemented, have been shown to increase the chances of delivering 
promised system capabilities on time and within budget. 

In June 2003, we first reported 42 that the program did not have key acquisition 
management controls in place, and we reiterated this point in September 2003. 43 

41 This recommendation is the merger of two of our prior recommendations. 

42 GAO, Information Technology: Homeland Security Needs to Improve Entry Exit System Expenditure Planning, GAO-03- 
563 (Washington, D.C.: June 9, 2003). 

43 GAO-03-1083. 
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In May 2005, the program office developed a plan for satisfying SEI acquisition 
management guidance and began implementing it. Its 2005 assessment addressed 
13 SEI key process areas, a number of which were consistent with the seven 
management controls that we recommended. 

In April 2006, the program office updated its plan to focus on six key process areas: 
acquisition project planning, requirements management, project monitoring and 
control, risk management, configuration management, and product and process 
quality assurance. 

Since 2005, the program office reports that it has made progress in implementing 
the 1 1 3 practices associated with these six key process areas, as previously 
discussed. However, the six areas of focus do not include all of the management 
controls that we recommended. For example, solicitation, contract tracking and 
oversight, and transition to support are not included. While the program office 
reports that it has also addressed contract tracking and oversight as part of 
responding to a later recommendation that we made (not one of the nine 
recommendations addressed in this briefing), it also reports that it has yet to 
address the other two management controls. 
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It is important for the program office to address all of the management controls that 
we recommended. If it does not, it will unnecessarily increase program risks. 
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Recommendation 3: Ensure that expenditure plans fully disclose what system 
capabilities and benefits are to be delivered, by when, and at what cost, as well as 
how the program is being managed. 

Status: Partially complete 

The fiscal year 2007 expenditure plan discloses planned system capabilities, 
estimated schedules and costs, and expected benefits, but meaningful information 
about schedules, costs, and benefits is missing. Further, while the plan does 
provide information on some acquisition activities, it does not adequately describe 
how the program is being managed in a number of areas and does not disclose the 
management challenges that it continues to face. Without such information, the 
expenditure plan does not provide Congress with enough information to exercise 
effective oversight and hold the department accountable. 
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Schedule 



The fiscal year 2007 expenditure plan provides time commitments for some 
capabilities; however, these are not specific. For example, the plan states the 
following: 

• Unique Identity 

• Deployment of 10-print pilot to 10 air locations to begin in late 2007. 

• Initial Operating Capability functionality targeted for September 2008. 

• Exit 

• Air exit solution deployment will begin in third quarter 2007 and continue 
through 2008. 

• Begin work in fiscal year 2007 on sea exit deployment that will emulate 
technology and operational plans adopted for commercial aviation 
environment. 
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Moreover, no schedule commitments are made for the development and 
deployment of PKD validation capabilities. 

Costs 

The fiscal year 2007 expenditure plan identifies each project's funding. In some 
cases, this information is provided with meaningful detail that allows for 
understanding of how the funds will be used. For example 

• Unique Identity shows the following activities and costs: 

• Acquisition and Procurement ($21.2 million) — purchase and initial 
deployment of 10-print capture devices and upgrades in network 
capabilities (bandwidth and technology refreshes) at 1 19 airports, 9 
seaports, and 155 land ports. 

• Update DHS Border and Process Technology ($2.0 million) — update 
device to client biometric interfaces and further 10-print prototype testing 
and evaluation. 
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However, in other cases, costs are not described at a level that would permit such 
understanding. For example: 

• Contractor Services (Project Assigned) ($12.1 million) - contractor services 
and support for the project-related resource planning and management 
(including the areas of configuration, acquisition, and risk), as well as project 
performance metrics and reporting in the areas of cost, schedule, scope, and 
quality management. This exact wording is also used for this category in two 
other projects with different costs. 

In addition, unlike prior expenditure plans, carryover funds from prior years that are 
planned for use in 2007 are not allocated to 2007 activities. For example: 

• Exit - A total of $7.3 million in fiscal year 2007 funds, plus fiscal year 2006 
carryover funds of $20 million are mentioned as being allocated to begin the 
process of deploying DHS' integrated air exit strategy and initial planning for 
sea exit. However, only the $7.3 million is allocated among the activities listed. 
No information is presented regarding the allocation of the $20 million in 
carryover funds to these activities or any others. 
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Benefits 

The fiscal year 2007 expenditure plan cites benefits associated with the projects. 
However, the benefits are broadly stated. For example, the plan describes exit 
benefits as "Safer and more secure travel" and Unique Identity benefits as 
"Facilitation of efficient, yet secure, trade and travel." 

Acquisition Management 

The 2007 expenditure plan describes a range of key acquisition management 
activities and control areas. These include: 

• Requirements development and management 

• Configuration management 

• Data governance 

However, the plan does not fully disclose challenges that the program faces in 
managing acquisition activities, nor does it discuss key areas in which change is 
occurring, such as capital planning and investment controls and human capital 
management. 
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Recommendation 4: Ensure that the human capital and financial resources are 
provided to establish a fully functional and effective program office and associated 
management capability. 

Status: Partially complete 

DHS established the US-VISIT program office in July 2003 and determined the 
office's staffing needs to be 1 15 government and 117 contractor personnel. In 
September 2003, we reported 44 that the program office lacked adequate human 
capital and financial resources. In August 2004, the program office, in conjunction 
with OPM developed a draft human capital plan. Agency officials stated that, at one 
point in 2006, all of the 115 government positions were filled. In addition, the 
program has received about $1 .4 billion in funding, and we recently reported that it 
has devoted an increasing proportion of its annual appropriation to program office 
and related management activities. 



44 GAO-03-1083. 
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Since then, however, 21 of the government positions have become vacant. 
According to program officials, they have taken interim steps to address this void in 
leadership by temporarily assigning other staff to cover them. They added that they 
plan to fill all the positions through aggressive recruitment and that they do not 
consider the vacancies to present a risk to the program. However, without 
adequate human capital, particularly in key positions and for extended periods, 
program risks will invariably increase. 
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Recommendation 5: Clarify the operational context within which US-VISIT must 
operate. 

Status: Partially complete 

As we have previously reported, all programs exist within a larger operational (and 
technological) context or frame of reference that is captured in such strategically 
focused instruments as strategic plans and an EA. Additionally, having a strategic 
plan and an EA are recognized best practices and provided for in federal guidance. 

In 2003, we reported 45 that DHS had yet to define the operational context in which 
US-VISIT is to operate, such as a well-defined department EA or a departmentally 
approved strategic plan. In the absence of this operational context, we stated that 
program officials could make assumptions and decisions that, if they proved 
inconsistent with subsequent departmental policy decisions, would require US- 
VISIT rework to make it interoperable with related programs and systems, such as 
the FBI's 10-print biometric identity system known as IAFIS. Moreover, we stated 
that US-VISIT could be defined and implemented in a way that made it duplicative 
of other programs and systems, such as the Secure Border Initiative or the 
Western Hemisphere Travel Initiative. 

45 GAO-03-1083. 77 
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Since then, we have continued to report on the absence of this context. Most 
recently, we reported 46 in February 2006 that this operational context was still a 
work in process. Specifically, we found that although a strategic plan was drafted 
that program officials said showed how US-VISIT was aligned with DHS's 
organizational mission and defined an overall vision for immigration and border 
management across multiple departments and external stakeholders with common 
objectives, strategies, processes, and infrastructures, this plan had been awaiting 
departmental approval at that time for more than 1 1 months. 

In February 2007, we reported 46 that US-VISIT was still lacking a departmentally 
approved operational context, and that this was exacerbated by DHS's recent 
launching of other major programs without defining their relationships to US-VISIT. 
Examples of these programs are: 

• Secure Border Initiative (SBI), a multi-year program to secure the borders 
and reduce illegal immigration by installing state-of-the-art surveillance 
technologies along the border, increasing border security personnel, and 
ensuring information access to DHS personnel at and between ports of 
entry. 



46 GAO-06-296. 

47 GAO-07-278. 
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• Western Hemisphere Travel Initiative (WHTI), which is to implement the 
provisions of the Intelligence Reform and Terrorism Prevention Act of 2004 48 
requiring citizens of the United States, Canada, Bermuda, and Mexico to have 
a designated document for entry or re-entry into the United States that 
establishes the bearer's identity and citizenship. 

US-VISIT continues to lack a well-defined operational context. 

• As discussed earlier in this briefing, the fiscal year 2007 expenditure plan 
includes an appendix titled "Comprehensive Strategic Plan for US-VISIT," 
which the Program Director told us is the department's officially approved US- 
VISIT strategic plan. However, as we discussed in the legislative conditions 
section of the briefing, key elements of relevant federal guidance for a strategic 
plan are not addressed in this plan. For example, no specific outcome-related 
goals for major functions and operations of US-VISIT or specific objectives to 
meet those goals are provided, nor does it address external factors that could 
affect achievement of program goals. Finally, this strategic plan does not 
address the explicit relationships between US-VISIT and either the SBI or 
WHTI programs. 

48 Pub. L. No. 108-458, § 7209, 118 Stat. 3638, 3823 (Dec. 17, 2004). 
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We recently reported 49 that DHS's EA has evolved beyond prior versions. 
However, the DHS EA 2006 50 was not complete for several reasons. For 
example, it was missing architecture content, such as a transition plan and 
evidence of a gap analysis between the "as is" and "to be" architectures, and it 
was developed with limited stakeholder input: support contractors and 
organizational stakeholders provided a range of comments on completeness, 
internal consistency, and understandability of a draft of the EA, but the majority 
of comments were not addressed. Because the EA was not complete, 
internally consistent and understandable, we concluded that its usefulness was 
limited, in turn limiting DHS's ability to guide and constrain IT investments in a 
way that promotes interoperability and reduces overlap and duplication. 



49 GAO-07-564. 

50 The focus of our review was the DHS EA 2006. In March 2007, DHS issued HLS 2007. 
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Program officials told us that they have met with related programs to coordinate 
their respective efforts. They stated that DHS's Office of Screening Coordination 
and Operations (SCO) has been trying to coordinate and unify the departmental 
components' initiatives by bringing border management stakeholders together. 
However, specific coordination efforts have not been assigned to the SCO or any 
other DHS entity. 

The absence of a well-defined operational context within which to define and 
pursue US-VISIT has been long-standing. Until this context exists, the department 
will be challenged in its ability to define and implement US-VISIT and related 
border security and immigration management programs in a manner that promotes 
interoperability, minimizes duplication, and optimizes departmental capabilities and 
performance. 
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Recommendation 6: Determine whether proposed US-VISIT increments will 
produce mission value commensurate with costs and risks and disclose to its 
executive bodies and the Congress the results of these business cases and 
planned actions. 51 

Status: Partially complete 

The decision to invest in any system capability should be based on reliable 
analysis of return on investment. Moreover, according to relevant guidance, 
incremental investments in major systems should be individually supported by 
such analyses of benefits, costs, and risks. Without such analyses, an 
organization cannot adequately know that a proposed investment is a prudent 
and justified use of limited resources. 

In June and September 2003, and in February 2005, we reported 52 that proposed 
investments in the then entry/exit system, US-VISIT Increment 1, and US-VISIT 
Increment 2B, respectively, were not justified by reliable business cases. 



51 This recommendation is the merger of three recommendations. 

52 GAO-03-563, GAO-03-1083, and GAO-05-202. 
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Further, in February 2006 we reported 53 that while a business case was prepared 
for Increment 1 B, the analysis performed met only four of the eight criteria in 
OMB guidance. For example, it did not include a complete uncertainty analysis 
for the alternatives evaluated. 

More recently, the program office has developed business cases for two projects: 
Unique Identity and U.S. Travel Documents-ePassports (formerly Increment 
2A). 54 However, the program office has not developed a business case for 
another project that it plans to begin implementing this year — biometric exit at air 
POEs. As discussed later in the observations section of this briefing, the program 
office has defined very little about its proposed solution to meeting its exit needs 
at air POEs, including an analysis of alternative solutions to meeting this need on 
the basis of their relative costs, benefits, and risks. 



53 GAO-06-296. 

54 We have ongoing work to address, among other things, these business cases. 
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Until the program office has reliable business cases for each US-VISIT project in 
which alternative solutions for meeting mission needs are evaluated on the basis 
of costs, benefits, and risks, it will not be able to adequately inform its executive 
bodies and the Congress about its plans and will not provide the basis for prudent 
investment decision making. 
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Recommendation 7: Develop and implement a human capital strategy that provides 
for staffing open positions with individuals who have the requisite core 
competencies (knowledge, skills, and abilities). 

Status: Partially complete 

Strategic management of human capital involves proactive efforts to understand an 
entity's future workforce needs, existing workforce capabilities, and the gap 
between the two and to chart a course of action defining how this gap will be 
continuously addressed. Such an approach to human capital management is both 
a best practice and provision in federal guidance. 

In September 2003, we reported 55 that US-VISIT did not have a human capital 
strategy. In February 2006, we reported 56 that the program office issued a human 
capital plan and began implementing it. However, it stopped doing so during 2006 
pending a departmental approval of a DHS-wide human capital initiative, known as 
MAX HR , and because all program office positions were filled. However, as noted 
earlier, the program office now reports that it has 21 government positions, 
including critical leadership positions, vacant. 

55 GAO-03-1083. 

56 GAO-06-296. 
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According to program officials, US-VISIT recently developed a new human capital 
plan as part of their Organizational Improvement Initiative and this plan is now 
being reviewed by the department. Because its approval is pending, we were not 
provided a copy. 
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Recommendation 8: Develop and implement a risk management plan and ensure 
that all high risks and their status are reported regularly to the appropriate 
executives. 

Status: Partially complete 

In September 2003, we reported 57 that US-VISIT was a risky undertaking due to 
several factors, including its large scope and complexity and various program 
weaknesses. We concluded that these risks, if not effectively managed, would 
likely cause program cost, schedule, and performance problems. 

Since then, US-VISIT approved a risk management plan and began to put into 
place a risk management process that included, among other things, subprocesses 
for identifying, analyzing, managing, and monitoring risk. It also defined and began 
implementing a governance structure to oversee and manage the process, and it 
maintains a risk database that is available to program management and staff. 



57 GAO-03-1083. 
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In February 2006, 58 we reported that the risk management process detailed in the 
risk management plan was not being consistently applied across the program. In 
addition, we reported that thresholds for elevating risks to department executives 
were not being applied and risk elevation was being left to the discretion of the 
Program Director. Since then, the program has provided training to its employees 
to ensure that they understood how to apply the risk management process. 

However, program officials told us that they have eliminated the thresholds for 
elevating risks beyond the US-VISIT Program Office. Further, no risks have been 
elevated to department executives since December 2005, and no specific guidance 
on when risks should be elevated beyond the US-VISIT Program Director is 
provided in the current risk management plan. 

Until the program office ensures that high risks are appropriately elevated, 
department executives will not have the information they need to make informed 
investment decisions. 



58 GAO-06-296. 
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Recommendation 9: Define performance standards for US-VISIT that are 
measurable and reflect the limitations imposed on US-VISIT capabilities by relying 
on existing systems. 

Status: Partially complete 

The operational performance of US-VISIT depends largely on the performance of 
the existing systems that have been integrated to form it. This means that, for 
example, the availability of US-VISIT is constrained by the downtime of existing 
systems. 

In February 2006, we reported 59 that the program office had defined technical 
performance standards for several increments (e.g., Increments 1 , 2B, and 2C), 
but these standards did not contain sufficient information to determine whether or 
not they reflected the limitations imposed by reliance on existing systems. Since 
then, program officials told us that they have not updated the performance 
standards for Increments 1-3 to reflect limitations imposed by relying on existing 
systems. As a result, the ability of these increments to meet performance 
requirements remains uncertain. 

59 GAO-06-296. 
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Recently, the program office has developed requirements-related documentation 
on Unique Identity elements, including the iDSM. While this documentation 
specifies a requirement that the model be able to exchange information with 
external systems, and refers to this as a system constraint, it does not assess the 
quantitative impact that these changes would impose on the system. In order to 
determine such impacts, it is necessary to assess such factors as the response 
time and throughput of US-VISIT feeder systems on US-VISIT. 

Until the program defines performance standards that reflect the limitations of the 
existing systems upon which US-VISIT relies, the program lacks the ability to 
identify and effectively address performance shortfalls. 
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Observation 1 : Earned value management data on ongoing prime contract task 
orders show that cost and schedule baselines are being met. 

Earned value management (EVM) is a program management tool for measuring 
progress by comparing, during a given period of time, the value of work 
accomplished with the amount of work expected to be accomplished. This 
comparison permits performance to be evaluated based on calculated variances 
from the planned (baselined) cost and schedule. EVM is both an industry 
accepted practice and an OMB requirement. 

The program office requires its prime contractor to use EVM, 60 and the data 
provided by the program office show that the cumulative cost and schedule 
variances for the overall prime contract and all 12 ongoing task orders are within 
an acceptable range of performance. 



The EVM system used by the prime contractor has yet to be certified by an outside agent (see page 36 for details). 
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Our analysis of baseline and actual performance data using generally accepted 
earned value analysis techniques show that as of February 2007, the prime 
contractor had an overall 

• Positive cost variance for all task orders combined (i.e., was under budget) 
by about $1 7.1 million (about 7 percent of the $ 238.9 million worth of work to 
be completed). 

• Negative schedule variance for all task orders combined (i.e., had a schedule 
slip) of only about $1 .3 million worth of work (less than 1 percent of the work 
scheduled for the period). 

The six-month (September 2006-February 2007) trend in cost and schedule 
variances for the prime contract are shown on the next two pages. 
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Objective 3: Observation 1 
Earned Value Data Show Favorable Variances 
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Source: GAO, based on an analysis of DHS data. 
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Objective 3: Observation 1 
Earned Value Data Show Favorable Variances 



Cumulative Schedule Variance 



$- 

$(200,000) 
$(400,000) 
$(600,000) 
$(800,000) 
$(1,000,000) 
$(1,200,000) 
$(1,400,000) 




Sep-06 Oct-06 Nov-06 Dec-06 Jan-07 Feb-07 



Source: GAO, based on an analysis of DHS data. 
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Our analysis of these data for two specific task orders showed similar results. 
Specifically, 

• Task order 4: Program Level Engineering. This task order includes the 
development and maintenance of the US-VISIT target architecture, related 
standards, engineering plans, and guidance as well as performance 
modeling and technology assessments. As of February 2007, it 

• Showed a positive cost variance (i.e., was under budget) by about 
$4.1 million (about 9.6 percent of the $ 42.7 million worth of work to be 
completed). 

• Showed a negative schedule variance (i.e., had a schedule slip) by 
about $230,000 worth of work (less than one percent of the work 
scheduled for the period). 
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• Task order 7: IT Solutions Delivery. This task order contains several Unique 
Identity project subtasks including (1) operation and maintenance of US- 
VISIT's I DENT biometric identification system, (2) development and 
maintenance of the iDSM, (3) IDENT expansion to 10 prints, and (4) 
development and testing of enumeration functionality for the U.S. Citizenship 
and Immigration Services. As of February 2007, it 

• Showed a positive cost variance (i.e., was under budget) by about 
$747,000 (less than 2 percent of the $44.5 million worth of work to be 
completed). 

• Showed a negative schedule variance (i.e., had a schedule slip) of 
about $384,000 worth of work (less than one percent of the work 
scheduled for the period). 

All of the above cited variances are within the expected range of 10 percent. 
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Observation 2: DHS continues to propose a heavy investment in program 
management-related activities without adequate justification or full disclosure. 

Program management is an important and integral aspect of any system 
acquisition program. Our recommendations to DHS aimed at strengthening US- 
VISIT program management are grounded in our research, OMB requirements, 
and recognized best practices relative to the importance of strong program 
management capabilities. The importance of this area, however, does not in and 
of itself justify the level of investment in such activities. Rather, investment in 
program management-related activities, similar to investment in any program 
capability, should be based on full disclosure of the scope, nature, size, and value 
of the program and such investments should be justified in relation to the size and 
significance of the acquisition activities being performed. 
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Earlier this year, we reported, 61 that the program's investment in program 
management had risen significantly over the past 4 years, particularly in relation 
to the program's declining level of new system development. The fiscal year 2007 
expenditure plan proposes a level of investment in program management similar 
to that for 2006. At the same time, no explanation or justification of such a 
relatively large investment in program management-related funding has been 
provided. Specifically, 

• The fiscal year 2003 expenditure plan provided $30 million for program 
management and operations. In contrast, the fiscal year 2006 plan provided 
$126 million for program management-related functions. At the same time, 
funds provided for new development fell from $325 million in 2003 to $93 
million in 2006. 

• Restated, program management costs represented about 9 percent of 
planned development costs in 2003 but 135 percent of planned development 
in 2006. This means that in 2006, for every dollar spent on new capabilities, 
$1 .35 was spent on management. 

61 GAO-07-278. 
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• According to program officials, the fiscal year 2006 plan did not 
properly categorize proposed program management-related funding 
according to its intended use. They added that future expenditure 
plans would provide greater clarity into funds used for management 
versus development. 

• The fiscal year 2007 expenditure plan proposed investing a comparable 
percentage of funding on management-related activities vis-a-vis new 
development. Specifically, our analysis shows that, for every dollar invested 
in new development, $1 .25 is to be spent on management-related activities at 
either the program or project level. 

Charts showing this trend in management-related funding in relation to new 
development funding are on the following two pages. 
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Objective 3: Observation 2 
Management Funding Remains High and Unjustified 



Development, Operations, and Program/Project Management Cost Trends, FY 2002 - FY 
2007 
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Source: GAO analysis of DHS data. 
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Objective 3: Observation 2 
Management Funding Remains High and Unjustified 



Program/Project Management Costs as Percentage of New Development 
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Source: GAO analysis of DHS data. 
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The fiscal year 2007 expenditure plan does not explain the reasons for the sizable 
investment in management-related activities or otherwise justify it on the basis of 
measurable expected value. Without disclosing and justifying its proposed 
investment and program management-related efforts, it is unclear that such a 
large amount of funding for these activities represents the best use of resources. 
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Observation 3: Lack of a well-defined and justified exit solution introduces 
the risk of repeating failed and costly past exit efforts. 

The decision to invest in a system or system component should be based on a 
clear definition of what capabilities, what stakeholders, and what will be delivered 
according to what schedule and at what cost. Moreover, it should be economically 
justified via reliable analysis showing that execution of the plan will produce 
mission value commensurate with expected costs and risks. 

According to the fiscal year 2007 expenditure plan, DHS intends to begin 
deploying an exit capability at air and sea POEs and spend $27.3 million doing 
so. More specifically, the plan states that 

• $7.3 million in fiscal year 2007 funding and $20 million in fiscal year 2006 
carryover funding will be used, in part, to begin the process of planning and 
designing an air and sea exit solution; 

• the air exit solution will be fully deployed by an unspecified time during 
calendar year 2008; 

• the air exit solution will be integrated with commercial airlines' existing 
passenger check-in processes; and 
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• the sea exit solution will emulate the technology and operational plans 
adopted for air exit. 

However, while US-VISIT has developed a high-level schedule for air exit, 
information supporting that schedule was not provided to GAO and no other exit 
program plans are available that define what will be done, by what entities, and at 
what cost to define, acquire, deliver, deploy, and operate this capability, including 
plans describing expected system capabilities, identifying key stakeholder (e.g., 
airlines) roles/responsibilities and buy-in, coordinating and aligning with related 
programs, and allocating funding to activities. In addition, the exit schedule 
provided by the program office indicates that the air exit solution is to be fully 
implemented by June 2009, which is at least 6 months after the full deployment 
date provided in the expenditure plan. 

Further, available documentation (e.g., the expenditure plan) 

• does not define what key terms mean, such as "full implementation" and 
"integrated;" 
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• does not specify what the $20 million in fiscal year 2006 carryover funding 
will be spent on, and only allocates the $7.3 million in fiscal year 2007 
funding to such broad categories of activities as project management, 
contractor services, and planning and design; and 

• does not describe what has been done and what is planned to engage with 
commercial airlines, even though the recently-provided air exit schedule 
states that the department plans to issue a proposed federal regulation 
requiring airlines to participate in this effort by end of calendar year 2007. 

Moreover, no analysis comparing the life cycle costs of the air exit solution to its 
expected benefits and risks is available. In particular, neither the 2007 
expenditure plan nor any other program documentation describe measurable 
outcomes (benefits and results) that will result from an air exit solution. 
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According to the expenditure plan, significant air exit planning and testing has 
been conducted over the past 3 years and the air exit solution is based in part on 
these efforts. However, during this time we have continued to report on 
fundamental limitations in the definition and justification of those efforts. For 
example, 

• In September 2003, 62 we reported that DHS had not economically justified 
the initial US-VISIT increment (which was to include an exit capability at air 
and sea POEs) on the basis of benefits, costs, and risks. As result, we 
recommended that DHS determine whether proposed incremental 
capabilities will produce value commensurate with program costs and risks. 



62 GAO-03-1083. 
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In May 2004, 63 we reported that an exit capability (including biometric 
capture) was not deployed to the 80 air and 14 sea POEs as part of 
Increment 1 deployment in December 2003, as originally intended. Instead, a 
pilot exit capability was deployed to only one air and one sea POE on 
January 5, 2004. At that time, program officials told us that it was being 
piloted at only two locations because they decided to evaluate other exit 
alternatives and planned to select an alternative for full deployment by 
December 31, 2004. 

In February 2005, 64 we reported that DHS had not adequately planned for 
evaluating the air and sea exit alternatives because the scope and timeline of 
the pilot evaluations were compressed. We recommended that the program 
office reassess its plans for deploying an exit capability to ensure that the 
scope of the pilot provided an adequate evaluation of alternatives. 



63 GAO, Homeland Security: First Phase of Visitor and Immigrant Status Program Operating, but Improvements Needed, 
GAO-04-586 (Washington, D.C.: May 1 1 , 2004). 
64 GAO-05-202. 
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In February 2006, 65 we reported that DHS had analyzed the cost, benefits, 
and risks for its air and sea exit capability, but the analyses did not 
demonstrate that the program was producing or would produce mission value 
commensurate with expected costs and benefits, and the costs upon which 
the analyses were based were not reliable. We also raised questions about 
the adequacy of the program's air exit pilot evaluation, noting that the results 
showed an average compliance of only 24 percent across the three 
alternatives. We concluded that until exit alternatives were adequately 
evaluated, the program office would not be in a position to select the best 
solution. We further noted that without an effective exit capability, the 
benefits and the mission value of US-VISIT would be greatly diminished. We 
did not make a recommendation to address this because we had already 
addressed the situation through a prior recommendation. 



65 GAO-06-296. 
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In December 2006, 66 we reported that US-VISIT officials had concluded that 
a biometric US-VISIT land exit capability could not be implemented without 
incurring a major impact on land POE facilities. We also reported that the 
land exit pilots had surfaced several performance problems, such as RFID 
devices not reading a majority of travelers' tags during testing and multiple 
RFID devices installed on poles or structures over roads reading information 
from the same traveler tag. We recommended that DHS report to Congress 
information on the costs, benefits, and feasibility of deploying biometric and 
nonbiometric exit capabilities at land POEs. 



66 GAO-07-248. 
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In February 2007, 67 we reported that DHS had not adequately defined and 
justified its past investment in exit pilots and demonstration projects. We 
noted that the program had devoted considerable time and resources to exit 
but still did not have either an operational exit capability or a viable exit 
solution to deploy. Further, exit-related program documentation did not 
adequately define what work was to be done or what these efforts would 
accomplish and did not describe measurable outcomes from the pilot or 
demonstration efforts, or related cost, schedule, and capability commitments 
that would be met. We recommended that planned expenditures be limited 
for exit pilots and demonstration projects until such investments are 
economically justified and until each investment has a well-defined 
evaluation plan. 



67 GAO-07-278. 
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Notwithstanding these long-standing limitations in planning for and justifying its 
exit efforts, and notwithstanding that funding for exit-related efforts in US-VISIT 
expenditure plans for fiscal years 2003 through 2006 68 totals about $250 million, 
no operational exit capability exists. Unless the department better plans and 
justifies its new exit efforts, it runs the serious risk of repeating this past failure. 



68 As reported in the fiscal year 2005 and revised 2006 expenditure plans. The fiscal year 2007 plan reported that of this 
amount, $53. 1 million was still available as prior year carryover ($1 7.7 million from land and $35.4 million from air and sea). 
Our assessment of these reported numbers is detailed in the Scope and Methodology discussion found in Attachment 1 . 



111 



Page 122 



GAO-07-1065 Homeland Security 



Appendix I 
Briefing Slides 



k GAP 

Accountability * Integrity * Reliability 



Conclusions 



US-VISIT's prime contract cost and schedule metrics show that expectations are 
being met, according to available data, although their earned value management 
system that the metrics are based on has yet to be independently certified. 
Nothwithstanding this, such performance is a positive sign. 

However, the vast majority of the many management weaknesses raised in this 
briefing have been the subject of our prior US-VISIT reports and testimonies, and 
thus are not new. Accordingly, we have already made a litany of recommendations 
to correct each weakness, as well as follow-on recommendations to increase DHS 
attention to and accountability for doing so. Despite this, recurring legislative 
conditions associated with US-VISIT expenditure plans continue to be less than 
fully satisfied, and recommendations that we made 4 years ago are still not fully 
implemented. 

Exacerbating this situation is the fact that the DHS did not satisfy two new 
legislative conditions associated with the fiscal year 2007 expenditure plan, and 
serious questions continue to exist about DHS's justification for and readiness to 
invest current, and potentially future, fiscal year funding relative to an exit solution 
and program management-related activities. 
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Conclusions 



DHS has had ample opportunity to address these many issues, but it has not. As a 
result, there is no reason to expect its newly launched exit endeavor, for example, 
to produce results different from its past endeavors — namely, no operational exit 
solution despite expenditure plans allocating about a quarter of billion dollars to 
various exit activities. Similarly, there is no reason to believe that the program's 
disproportionate investment in management-related activities represents a prudent 
and warranted course of action. All told, this means that needed improvements in 
US-VISIT program management practices are long overdue. Both the legislative 
conditions and our open recommendations are aimed at accomplishing these 
improvements, and thus they need to be addressed quickly and completely. Thus 
far, they have not been and the reasons that they have not are unclear. 
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Recommendations for Executive Action 



Because our outstanding US-VISIT recommendations already address all of the 
management weaknesses discussed in this briefing, we are reiterating our prior 
recommendations, and recommending that the Secretary of DHS report to the 
department's authorization and appropriations committees on its reasons for not 
fully addressing its expenditure plan legislative conditions and our prior 
recommendations. 
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Agency Comments 



We provided a draft of this briefing to DHS and US-VISIT program officials and 
solicited their comments on it. In response, DHS and US-VISIT program officials, 
including the program director, stated that the briefing was factually correct and 
that GAO's continued guidance provided value to the program. They also stated 
that the program office would continue to address our open recommendations, and 
would formally comment on a draft of our report that transmits the briefing. 
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Scope and Methodology 



To accomplish our first objective, 

• we reviewed the fiscal year 2007 plan and other available program 

documentation related to each condition. In doing so, we examined not only 
completed actions and steps, but also planned actions and steps, including 
program officials' stated commitments to perform such activities and steps. 
More specifically, we 

• compared the information in the program's fiscal year 2007 Exhibit 300 
budget submission and related documentation to capital planning guidance 
(OMB A-1 1 part 7) to determine whether the information complies with the 
capital planning and investment controls, 

• assessed program documents against criteria in DHS's Investment Review 
Process to determine whether the program could demonstrate compliance 
with the DHS enterprise architecture, 

• assessed the program's software improvement program to determine the 
progress made in developing acquisition processes that meet industry 
standards, 



116 



Page 127 



GAO-07-1065 Homeland Security 



Appendix I 
Briefing Slides 



^ Q Attachment 1 



Accountability * Integrity * Reliability 



Scope and Methodology 



• reviewed documentation to determine whether an independent verification 
and validation agent was currently under contract, 

• reviewed documentation to determine whether the expenditure plan 
received the required certification and approvals, 

• reviewed US-VISIT's strategic plan submission and compared it against 
federal legislation and guidelines, and GAO strategic planning criteria to 
determine whether US-VISIT's strategic plan met best practices, and 

• reviewed US-VISIT's exit submission to determine the extent to which it 
described the exit capabilities to be deployed and included a schedule for 
deploying these capabilities. 

To accomplish our second objective, we 

• Reviewed and analyzed the fiscal year 2007 expenditure plan, US-VISIT's 
most recent status reports on the implementation of our open 
recommendations, and related key documents, augmented as appropriate 
by interviews with program officials. Specifically, we reviewed and 
analyzed: 
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Scope and Methodology 



• relevant systems acquisition documentation, including the program's 
process improvement plan, risk management plan, and configuration 
management plan; 

• the program's security plan, privacy impact assessment, and related 
system acquisition documents; 

• the program's most recent draft human capital strategy and related 
documents; 

We also reviewed the fiscal year 2007 plan to determine whether it 

• disclosed key aspects of how the acquisition is being managed, 
including management areas that our prior reports on US-VISIT 
identified as important but missing (e.g., governance structure, 
organizational structure, human capital, systems configuration, 
and system capacity); and 

• fully disclosed system capabilities and related benefits as well as 
cost and schedule information. 



118 



Page 129 



GAO-07-1065 Homeland Security 



Appendix I 
Briefing Slides 



^ Q Attachment 1 



Accountability * Integrity * Reliability 



Scope and Methodology 



To accomplish our third objective, we reviewed the fiscal year 2007 plan and 
other available program documentation related to each of the following areas. 
In doing so, we examined completed and planned actions and steps, including 
program officials' stated commitments to perform them. For earned value, we 
reported data provided by the contractor to US-VISIT that is verified by US- 
VISIT. To assess its reliability, we reviewed relevant documentation and 
interviewed the system owner for the earned value data. More specifically, we 
addressed US-VISIT efforts to: 

• track and manage cost and schedule commitments by applying 
established earned value analysis techniques to baseline and actual 
performance data from cost performance reports, 

• define and justify program management costs by reviewing and 
analyzing data on costs provided as part of the expenditure plan; and 

• define and implement an exit strategy for air, sea, and land by 
reviewing and analyzing information provided as part of the 
expenditure plan. 
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Scope and Methodology 



Additionally, in February 2007, 1 we reported that the system that US-VISIT 
uses to manage its finances (U.S. Immigration and Customs Enforcement's 
Federal Financial Management System (FFMS)) has reliability issues. In light 
of these issues, the US-VISIT Budget Office tracks program obligations and 
expenditures separately using a spreadsheet and comparing this spreadsheet 
to the information in FFMS. Based on a review of this spreadsheet, there is 
reasonable assurance that the US-VISIT budget numbers being reported by 
FFMS are accurate. 

For DHS-provided data that our reporting commitments did not permit us to 
substantiate, we have made appropriate attribution indicating the data's source. To 
assess the reliability of US-VISIT's electronic document repository, we reviewed 
relevant documentation and talked with an agency official about data quality control 
procedures. We determined the data were sufficiently reliable for the purposes of 
this report. 

We conducted our work at US-VISIT program offices in Arlington, Virginia, from 
March 2007 through June 2007, in accordance with generally accepted 
government auditing standards. 

1 GAO-07-278 
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Related Products List 

• Homeland Security: DHS Enterprise Architecture Continues to Evolve But 
Improvements Needed. GAO-07-564. Washington D.C.: May 9, 2007 

• Homeland Security: US-VISIT Program Faces Operational, Technological, and 
Management Challenges. GAO-07-632T. Washington D.C.: March 20, 2007. 

• Homeland Security: US-VISIT Has Not Fully Met Expectations and 
Longstanding Program Management Challenges Need to Be Addressed. GAO- 
07-499T. Washington D.C.: February 16, 2007. 

• Homeland Security: Planned Expenditures for U.S. Visitor and Immigrant 
Status Program Need to Be Adequately Defined and Justified. GAO-07-278. 
Washington D.C.: February 14, 2007. 

• Border Security: US-VISIT Program Faces Strategic, Operational, and 
Technological Challenges at Land Ports of Entry. GAO-07-378T. Washington 
D.C.: January 31, 2007. 
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Related Products List 

• Border Security: US-VISIT Program Faces Strategic, Operational, and 
Technological Challenges at Land Ports of Entry. GAO-07-248. Washington 
D.C.: December 6, 2006. 

• Homeland Security: Contract Management and Oversight for Visitor and 
Immigrant Status Program Need to Be Strengthened. GAO-06-404. 
Washington, D.C.: June 9, 2006. 

• Homeland Security: Progress Continues, but Challenges Remain on 
Department's Management of Information Technology. GAO-06-598T. 
Washington, D.C.: March 29, 2006. 

• Homeland Security: Recommendations to Improve Management of Key Border 
Security Program Need to Be Implemented. GAO-06-296. Washington, D.C.: 
February 14, 2006 

• Homeland Security: Visitor and Immigrant Status Program Operating, but 
Management Improvements Are Still Needed. GAO-06-318T. Washington, 
D.C.: January 25, 2006. 
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Related Products List 

• Information Security: Department of Homeland Security Needs to Fully 
Implement Its Security Program. GAO-05-700. Washington, D.C.: June 17, 
2005. 

• Information Technology: Customs Automated Commercial Environment 
Program Progressing, but Need for Management Improvements Continues. 
GAO-05-267. Washington, D.C.: March 14, 2005. 

• Homeland Security: Some Progress Made, but Many Challenges Remain on 
U.S. Visitor and Immigrant Status Indicator Technology Program. GAO-05-202. 
Washington, D.C.: February 23, 2005. 

• Border Security: State Department Rollout of Biometric Visas on Schedule, but 
Guidance Is Lagging. GAO-04-1 001. Washington, D.C.: September 9, 2004. 

• Border Security: Joint, Coordinated Actions by State and DHS Needed to 
Guide Biometric Visas and Related Programs. GAO-04-1 080T. Washington, 
D.C.: September 9, 2004. 



123 



Page 134 



GAO-07-1065 Homeland Security 



Appendix I 
Briefing Slides 



GAP 

Accountability * Integrity * Reliability 



Attachment 2 
Related Products List 



Related Products List 

• Homeland Security: First Phase of Visitor and Immigration Status Program 
Operating, but Improvements Needed. GAO-04-586. Washington, D.C.: May 
1 1 , 2004. 

• Homeland Security: Risks Facing Key Border and Transportation Security 
Program Need to Be Addressed. GAO-04-569T. Washington, D.C.: March 18, 
2004. 

• Homeland Security: Risks Facing Key Border and Transportation Security 
Program Need to Be Addressed. GAO-03-1083. Washington, D.C.: September 
19, 2003. 

• Information Technology: Homeland Security Needs to Improve Entry Exit 
System Expenditure Planning. GAO-03-563. Washington, D.C.: June 9, 2003. 
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Detailed Description of US-VISIT Program 



The US-VISIT program consists of nine organizations and uses contractor 
support services in several areas. The roles and responsibilities of each of the 
nine organizations include the following: 

• Chief Strategist is responsible for developing and maintaining the 
strategic vision and related documentation, transition plan, and business 
case. 

• Budget and Financial Management is responsible for establishing the 
program's cost estimates; analysis; and expenditure management 
policies, processes, and procedures that are required to implement and 
support the program by ensuring proper fiscal planning and execution of 
the budget and expenditures. 

• Mission Operations Management is responsible for developing business 
and operational requirements based on strategic direction provided by the 
Chief Strategist. 
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Outreach Management is responsible for enhancing awareness of the 
US-VISIT requirements among foreign nationals, key domestic 
audiences, and internal stakeholders by coordinating outreach to media, 
third parties, key influencers, Members of Congress, and the traveling 
public. 

Information Technology Management is responsible for developing 
technical requirements based on strategic direction provided by the Chief 
Strategist and business requirements developed by Mission Operations 
Management. 

Implementation Management s responsible for developing accurate, 
measurable schedules and cost estimates for the delivery of mission 
systems and capabilities. 

Acquisition and Program Management is responsible for establishing and 
managing the execution of program acquisition and management policies, 
plans, processes, and procedures. 
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Attachment 3 

Detailed Description of US-VISIT Program 



Administration and Training is responsible for developing and 
administering a human capital plan that includes recruiting, hiring, 
training, and retaining a diverse workforce with the competencies 
necessary to accomplish the mission. 

Facilities and Engineering Management is responsible for establishing 
facilities and environmental policies, procedures, processes, and 
guidance required to implement and support the program office. 
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Detailed Description of US-VISIT Program 



The program uses contractor support services in the following six subject matter 
areas: 

• Facilities and Infrastructure - provides the infrastructure and facilities support 
necessary for current and anticipated future staff for task orders awarded 
under the prime contract. 

• Program-Level Management - defines the activities required to support the 
prime contractor's program management office, including quality management, 
task order control, acquisition support, and integrated planning and scheduling. 

• Program-Level Engineering - assures integration across incremental 
development of US-VISIT systems and maintains interoperability and 
performance goals. 

• Data Management Support- analyzes data for errors and omissions, corrects 
data, reports changes to the appropriate system of record owners, and 
provides reports. 
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Detailed Description of US-VISIT Program 



Data Management and Governance - provides support in the implementation 
of data management architecture and transition and sequencing plans, 
conducts an assessment of the current data governance structure and 
provides a recommendation for the future data governance structure, including 
a data governance plan. 

Mission Operations Data Integrity Improvements - determines possible ways 
to automate some of the data feeds from legacy systems, making the data 
more reliable. 
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Attachment 4 

Detailed Description of Increments and Component Systems 



Below is a discussion of the processes underlying each increment and the 
systems that provide information to US-VISIT. 

Increment 1 processes -Increment 1 includes the following five processes at air 
and sea ports of entry (POE): pre-entry, entry, status management, exit, and 
analysis, which are depicted in the graphic below. 




Sources: GAO analysis of US-VISIT data, Nova Development Corp. (clipart). 
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Attachment 4 

Detailed Description of Increments and Component Systems 



Pre-entry process: 

Pre-entry processing begins with initial petitions for visas, grants of visa status, or 
the issuance of travel documentation. When a foreign national applies for a visa at 
a U.S. consulate, biographic and biometric data are collected and shared with 
border management agencies. The biometric data (i.e., fingerprint scan of the right 
and left index fingers) are transmitted from the Department of State (State) to the 
Department of Homeland Security (DHS), where the fingerprints are run against the 
Automated Biometric Identification System (I DENT) to verify identity and to run a 
check against the biometric watch list. The results of the biometric check are 
transmitted back to State. A "hit" response prevents State's system from printing a 
visa for the applicant until the information is cleared by a consular officer. 

Pre-entry also includes transmission by commercial air and sea carriers of crew 
and passenger manifests before arriving in the United States. 1 These manifests are 
transmitted through the Advance Passenger Information System (APIS). The APIS 
lists are run against the biographic lookout system and identify those arrivals who 
have biometric data available. 

In addition, POEs review the APIS list in order to identify foreign nationals who 
need to be scrutinized more closely. 

1 Pub. L. 107-173 (May 14, 2002). 
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Attachment 4 

Detailed Description of Increments and Component Systems 



Entry process: 

When the foreign national arrives at a primary POE inspection booth, the inspector, 
using a document reader, scans the machine-readable travel documents. APIS 
returns any existing records on the foreign national to the US-VISIT workstation 
screen, including manifest data matches and biographic lookout hits. When a 
match is found in the manifest data, the foreign national's name is highlighted and 
outlined on the manifest data portion of the screen. 

Biographic information, such as name and date of birth, is displayed on the bottom 
half of the computer screen, as well as the photograph from State's Consular 
Consolidated Database. The inspector at the booth scans the foreign national's 
fingerprints (left and right index fingers) and takes a digital photograph. This 
information is forwarded to the I DENT database, where it is checked against stored 
fingerprints in the I DENT lookout database. 
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Attachment 4 

Detailed Description of Increments and Component Systems 



If no prints are currently in IDENT, the foreign national is enrolled in US-VISIT (i.e., 
biographic and biometric data are entered). If the foreign national's fingerprints are 
already in IDENT, the system performs a match (a comparison of the fingerprint 
taken during the primary inspection to the one on file) to confirm that the person 
submitting the fingerprints is the person on file. If the system finds a mismatch of 
fingerprints or a watch list hit, the foreign national is sent to an inspection booth for 
further screening or processing. 

While the system is checking the fingerprints, the inspector questions the foreign 
national about the purpose of his or her travel and length of stay. The inspector 
adds the class of admission and duration of stay information into the Treasury 
Enforcement Communications Systems (TECS), and stamps the "admit until" date 
on the Form 1-94. 

If the foreign national is ultimately determined to be inadmissible, the person is 
detained, lookouts are posted in the databases, and appropriate actions are taken. 
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Attachment 4 

Detailed Description of Increments and Component Systems 



Within 2 hours after a flight lands and all passengers have been processed, TECS 
is to send the Arrival Departure Information System (ADIS) the records showing the 
class of admission and the "admit until" dates that were modified by the inspector. 

Status management process: 

The status management process manages the foreign national's temporary 
presence in the United States, including the adjudication of benefits applications 
and investigations into possible violations of immigration regulations. 

Commercial air and sea carriers transmit departure manifests electronically for 
each departing passenger. These manifests are transmitted through APIS and 
shared with ADIS. ADIS matches entry and exit manifest data to ensure that each 
record showing a foreign national entering the United States is matched with a 
record showing the foreign national exiting the United States. 
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Attachment 4 

Detailed Description of Increments and Component Systems 



ADIS also provides the ability to run queries on foreign nationals who have entry 
information but no corresponding exit information. 

ADIS receives status information from the Computer Linked Application Information 
Management System and the Student and Exchange Visitor Information System on 
foreign nationals. 

Exit process: 

The exit process includes the carriers' electronic submission of departure manifest 
data to APIS. This biographic information is passed to ADIS, where it is matched 
against entry information. 
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Attachment 4 

Detailed Description of Increments and Component Systems 



Analysis: 

An ongoing analysis capability is to provide for the continuous screening against 
watch lists of individuals enrolled in US-VISIT for appropriate reporting and action. 
As more entry and exit information becomes available, it is to be used to analyze 
traffic volume and patterns as well as to perform risk assessments. The analysis is 
to be used to support resource and staffing projections across the POEs, strategic 
planning for integrated border management analysis performed by the intelligence 
community, and determination of travel use levels and expedited traveler programs. 
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Attachment 4 

Detailed Description of Increments and Component Systems 



Increment 2B and Increment 3 processes - 

Increments 2B and 3 deployed US-VISIT entry processing capabilities to land 
POEs. These two increments are similar to Increment 1 (air and sea POEs), with 
several noteworthy differences. 

• No advance passenger information is available to the inspector before the 
traveler arrives for inspection. 

• Travelers subject to US-VISIT are processed at secondary inspection, rather 
than at primary inspection. 

• Inspectors' workstations use a single screen, which eliminates the need to 
switch between the TECS and I DENT screens. 
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Attachment 4 

Detailed Description of Increments and Component Systems 



Form 1-94 data are captured electronically. The form is populated by data 
obtained when the machine-readable zone of the travel document is swiped. If 
visa information about the traveler exists in the Datashare database, 2 it is used 
to populate the form. Fields that cannot be populated electronically are 
manually entered. A copy of the completed form is printed and given to the 
traveler for use upon exit. 



No electronic exit information is captured. 



2 Datashare includes a data extract from State's Consular Consolidated Database system and includes the visa photograph, 
biographical data, and the fingerprint identification number assigned when a nonimmigrant applies for a visa. 
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Attachment 4 

Detailed Description of Increments and Component Systems 



Component systems 

US-VISIT Increments 1 through 3 include the interfacing and integration of existing 
systems and, with Increment 2C, the creation of a new system. The three main 
existing systems are as follows: 

• Arrival Departure Information System (ADIS) stores 

• non-citizen traveler arrival and departure data received from air and sea 
carrier manifests, 

• arrival data captured by CBP officers at air and sea POEs, 

• Form I-94 issuance data captured by CBP officers at Increment 2B land 
POEs, and 

• status update information provided by the Student and Exchange Visitor 
Information System (SEVIS) and the Computer Linked Application 
Information Management System (CLAIMS 3) (described below). 
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Attachment 4 

Detailed Description of Increments and Component Systems 



ADIS provides record matching, query, and reporting functions. 

The passenger processing component of the Treasury Enforcement 
Communications Systems (TECS) includes two systems: 

• Advance Passenger Information System (APIS,) captures arrival and 
departure manifest information provided by air and sea carriers, and 

• Interagency Border Inspection System (IBIS) maintains lookout data and 
interfaces with other agencies' databases. 

CBP officers use these data as part of the admission process. The results of 
the admission decision are recorded in TECS and ADIS. 
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Attachment 4 

Detailed Description of Increments and Component Systems 



The Automated Biometric Identification System (IDENT) collects and stores 
biometric data on foreign visitors, including data such as 

• Federal Bureau of Investigation information 3 on all known and suspected 
terrorists, selected wanted persons (foreign-born, unknown place of birth, 
previously arrested by DHS), and previous criminal histories for high-risk 
countries; 

• DHS Immigration and Customs Enforcement information on deported 
felons and sexual registrants; and 

• DHS information on previous criminal histories and previous IDENT 
enrollments. 



information from the Federal Bureau of Investigation includes fingerprints from the Integrated Automated Fingerprint 
Identification System. 
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Attachment 4 

Detailed Description of Increments and Component Systems 



US-VISIT also exchanges biographic information with other DHS systems, 
including SEVIS and CLAIMS 3: 

• SEVIS is a system that contains information on foreign students and 

• CLAIMS 3 is a system that contains information on foreign nationals who 
request benefits, such as change of status or extension of stay. 

Some of the systems involved in US-VISIT, such as IDENT and AIDMS, are 
managed by the program office, while some systems are managed by other 
organizational entities within DHS. For example: 

• TECS is managed by CBP, 

• SEVIS is managed by Immigration and Customs Enforcement, 

• CLAIMS 3 is under United States Citizenship and Immigration Services, 
and 

• ADIS is owned by US-VISIT, but is managed by CBP. 
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Attachment 4 

Detailed Description of Increments and Component Systems 



US-VISIT also interfaces with other, non-DHS systems for relevant purposes, 
including watch list 4 (i.e. lookout) updates and checks to determine whether a visa 
applicant has previously applied for a visa or currently has a valid U.S. visa. In 
particular, US-VISIT receives biographic and biometric information from State's 
Consular Consolidated Database as part of the visa application process, and 
returns fingerscan information and watch list changes. 



4 Watch list data sources include DHS's Customs and Border Protection and Immigration and Customs Enforcement; 
the Federal Bureau of Investigation; legacy DHS systems; the U.S. Secret Service; the U.S. Coast Guard; the 
Internal Revenue Service; the Drug Enforcement Agency; the Bureau of Alcohol, Tobacco, & Firearms; the U.S. 
Marshals Service; the U.S. Office of Foreign Asset Control; the National Guard; the Treasury Inspector General; the 
U.S. Department of Agriculture; the Department of Defense Inspector General; the Royal Canadian Mounted Police; 
the U.S. State Department; Interpol; the Food and Drug Administration; the Financial Crimes Enforcement Network; 
the Bureau of Engraving and Printing; and the Department of Justice Office of Special Investigations. 
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U.S. Department of Homeland Security 

Washington, DC 20528 




Homeland 
Security 



Mr. Randolph C. Hite 

Director, Information Technology Architecture 

and Systems Issues 
441 G Street, NW 

U.S. Government Accountability Office 
Washington, DC 20548 

RE: Draft Report GAO-07-1065, Homeland Security: U.S. Visitor and Immigrant 
Status Program's Longstanding Lack of Strategic Direction and Management 
Controls Needs to be Addressed (GAO Job Code 3 10650) 

Dear Mr. Hite: 

The Department of Homeland Security (DHS) appreciates the opportunity to review and 
comment on the draft report referenced above. We agree with the majority of the findings. 
However, there are some findings with which DHS officials disagree, and on which we provide 
comments below. Other comments are intended to provide either additional information or 
clarification. 

As you know, US-VISIT represents the greatest advancement in border technology in three 
decades. The Department of Homeland Security established US- VISIT to achieve the following 
goals: (1) enhance the security of our citizens and visitors; (2) facilitate legitimate travel and 
trade; (3) ensure the integrity of our immigration system; and (4) protect the privacy of visitors. 

For all the successes of US-VISIT, the Department realizes, and your report supports the fact, 
that we need to improve the core areas of the report that focus on management controls, 
operational context, and human capital. We have already established much of the foundation for 
meeting future challenges and will continue to improve the necessary disciplines for excellent 
program management. We realize that much needs to be done, and we appreciate the guidance 
provided by reports such as this. 

US-VISIT officials are establishing an Integrated Project Team to engage the U.S. Government 
Accountability Office (GAO) staff to aggressively review the open recommendations and satisfy 
and close each of them. DHS will appreciate consideration of our comments and their inclusion 
in any revision in this draft report or any future related audit report. We will engage with GAO 
on any questions or concerns you have with US-VISIT' s comments. 

GAO notes that DHS has partially implemented recommendations pertaining to US-VISIT that 
have been open for four years and provides a summary of the status. 
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Recommendation: Develop and begin implementing a system security plan and perform a 
privacy impact analysis and use the results of this analysis in near term and subsequent 
system acquisition decision making. 

DHS Response: US- VISIT officials do not agree with this recommendation and 
consider it satisfied based on security activities undertaken in response to previous 
GAO recommendations. GAO reported in 2005 that the US-VISIT program office 
completed a security plan largely consistent with federal practice. However, this plan 
did not properly consider a security risk assessment. Since that time, US- VISIT has 
communicated to GAO that it was replacing the security plan with an enterprise 
security strategy and enterprise risk assessment. Officials noted that all individual 
systems comprising the US-VISIT program that were under US-VISIT control had 
been certified and accredited in accordance with Office of Management and Budget 
(OMB) and National Institute of Standards and Technology (NIST) policy, to include 
security plans and risk assessments for each system. US-VISIT completed the 
enterprise risk assessment in 2005 and, based on that assessment, an enterprise 
security strategy was completed in 2006. US-VISIT delivered an IT Security 
Strategy Plan to GAO in January 2007. 

As part of GAO's results of analysis on page 35, GAO states that the program office's 
security strategy developed in December 2006 "...was limited to the systems under 
US-VISIT control and does not mention, for example, the Treasury Enforcement 
Communications System (TECS) which provides biographic information to US- 
VISIT and is owned by Customs and Border Protection (CBP). According to NIST 
Special Publication 800-18, a comprehensive security strategy should include all 
component systems." 

In actuality, NIST publication 800-18 provides guidance for completing system 
security plans and not enterprise security strategies. Furthermore, it notes that 
systems should have the following characteristics when determining system 
boundaries for complex systems: (1) have the same function or mission objective and 
essentially the same operating characteristics and security needs, and (2) reside in the 
same general operating environment (or in the case of a distributed information 
system, reside in various locations with similar operating environments). 

TECS is a mainframe environment owned by CBP and located in a CBP data center 
that serves many other program needs besides US-VISIT. US- VISIT and CBP have 
developed and signed Interconnection Security Agreements (ISAs) which detail the 
security controls that must be in place prior to the exchange of any data. These ISAs 
are consistent with federal policy in general and DHS policy in particular for sharing 
data in a secure manner. The US-VISIT program remains current with all 
certification and accreditation documents for systems within its control. As part of its 
commitment to security, the program is also updating the enterprise security strategy 
and enterprise risk assessment on a regular basis. In addition, the options available to 
US- VISIT to address this risk-developing ISAs and collaborating with CBP on 
development efforts to ensure security—are already in place. 
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In discussing the privacy impact assessment aspect of the recommendation, GAO 
notes (pp. 65-66) that "US- VISIT privacy officials recently conducted an audit of 
system documentation to ensure that privacy is being addressed. They found only a 
single instance where privacy should have been addressed in system documentation 
but was not. Finally, our review of recently issued system documentation shows 
privacy concerns are being addressed." 

US-VISIT considers this part of the recommendation as satisfied based on privacy 
activities undertaken in response to previous GAO recommendations. The US-VISIT 
privacy team review identified 250 documents prepared for the Automated Biometric 
Identification System (IDENT) since January 1, 2006. Of these, 66 of the more 
recently created documents were selected for review. Of the 66 documents reviewed, 
seven were determined to be relevant system documents. It was determined that the 
remaining documents were not relevant system documents for including privacy 
assessments based on the type of system document or based on the fact that the 
documents were for system updates that did not have a privacy impact. Of these 
seven relevant system documents, six were determined to have satisfactory 
discussions of privacy. One document, the Enumeration Data Management Plan, did 
not have a satisfactory discussion of privacy, and that document is being revised to 
include the privacy requirements. 

2. Recommendation: Develop and implement a plan for satisfying key acquisition management 
controls, including acquisition planning, solicitation, requirements management, project 
management, contract tracking, oversight, evaluation, and transition to support, and 
implement the controls in accordance with Software Engineering Institute (SEI) guidance. 

DHS Response: US- VISIT officials agree with this recommendation and have 
demonstrated efforts to satisfy this recommendation. US-VISIT has focused on the 
implementation of six Capability Maturity Model Integration (CMMI) process areas 
as a result of the 2005 internal appraisal. As reflected in the 2006 Process 
Improvement Plan, the six process areas are being implemented in two pilot US- 
VISIT projects as well as internal program office functional groups that are 
responsible for these process areas. An appraisal conducted in May 2006 reported 
progress against the US-VISIT 2006 Process Improvement goals. Another internal 
appraisal was completed in November 2006, and the results were briefed to the 
Management Steering Group (MSG) in December 2006. The appraisal results 
showed that the participating projects and program office functions progressed from 
29 fully or largely implemented practices assessed in 2005 to 55 in November 2006; 
in addition all 29 practices 'not implemented' in 2005 were reduced to zero in 
November 2006. Follow-up quarterly internal appraisals are planned, and the results 
will be reported to the Enterprise Process Group (EPG) and MSG. US-VISIT has 
updated the Process Improvement Plan for 2007 to re-establish goals and define 
activities to undertake in 2007 to continue to address strengthening processes. A 
copy of this document was provided to the GAO audit team for review. 

3. Recommendation: Ensure that expenditure plans fully disclose what system capabilities and 
benefits are to be delivered, by when, and at what cost, as well as how the program is being 
managed. 
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DHS Response: US-VISIT officials agree with this recommendation and have 
demonstrated efforts to satisfy this recommendation. In developing the FY 2008 
Expenditure Plan, US-VISIT has incorporated into its data call templates, 
requirements to: articulate results against prior year commitments; report project 
performance against cost and schedule estimates; link discussions of project 
capabilities, benefits, and performance indicators; and provide a clearer explanation 
of operations & maintenance and program management costs and results. The draft 
FY 2008 Expenditure Plan is to be provided to National Protection and Programs 
Directorate (NPPD) to begin DHS review and approval at the beginning of September 

2007. This will provide the first evidence of efforts to address this recommendation. 

Addressing Recommendations 4 and 7 

4. Recommendation: Ensure that the human capital and financial resources are provided to 
establish a fully functional and effective program office and associated management 
capability. Recommendation 7: Develop and implement a human capital strategy that 
provides for staffing open positions with individuals who have the requisite core 
competencies (knowledge, skills and abilities). 

DHS Response: US-VISIT officials agree with this recommendation and have 
demonstrated efforts to satisfy this recommendation. As of 31 December 2006, all 
115 Federal positions designated for US- VISIT had been filled, with recruitment 
actions in process for 10 vacancies that resulted from expected turnover. In FY 2006, 
US-VISIT experienced a 10 percent turnover rate. The current US-VISIT Human 
Capital Plan, developed in 2004 to guide strategic human capital initiatives through 

2008, is expected to be superseded by a 2007 revision following approval of US- 
VISIT's Organizational Improvement Initiative (Oil). 

Currently, 90 of 1 15 authorized US-VISIT positions are filled. The 25 vacancies are 
a result of attrition. The attrition was mitigated by a successful intern program and 
recruitment and retention program that was implemented in July 2007, with executive 
management sponsorship and dedicated resources from the human capital planning 
project team. Further, US-VISIT is fully budgeted to hire its complement of 
employees. 

5. Recommendation: Clarify the operational context within which US-VISIT must operate. 

DHS Response: US-VISIT officials agree with this recommendation and have 
demonstrated efforts to satisfy this recommendation. US-VISIT continues to 
incorporate elements of the vision, goals, and objectives into ongoing activities. US- 
VISIT has developed a strategic framework that contains US- VISIT'S core purpose 
and capabilities moving into the future and its key objectives for the next five years 
with associated activities. This document provides the framework for future 
operations and other documentation to include (currently in draft and being 
reviewed): Mission Needs Statement (MNS) - addresses core mission and 
capabilities; Operational Requirements Document (ORD) - contains performance and 
operational information; Acquisition Program Baseline (APB) - presents critical data 
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affecting and supporting the performance, cost and schedule of the US-VISIT 
Program's investment operations for Fiscal Years 2008-2013. 

The strategic framework will also be used to update US-VISIT's strategic plan that 
will reflect: US-VISIT's transition to NPPD; its designation as the biometric 
repository for all of DHS; management services being provided to immigration and 
border management; world-wide trans-border travel security efforts to include 
adopting compatible biometric capture and comparison and allowing for international 
sharing of pertinent watch list data; and relationships with other DHS components 
and programs and other federal agencies. 

US- VISIT expects to have its strategic plan, to include those key elements required 
by GPRA, updated, reviewed, and approved in FY08. US-VISIT has been diligently 
working on the FY08 Expenditure Plan to ensure projects are mapped to the mission, 
strategic goals, and objectives; and provide for traceability of expenditures. 

6. Recommendation: Determine whether proposed US-VISIT increments will produce mission 
value commensurate with costs and risks and disclose to its executive bodies and Congress 
the results of these business cases and planned actions. 

DHS Response: US- VISIT officials agree with this recommendation and have 
demonstrated efforts to satisfy this recommendation. In accordance with capital 
investment best practices, US-VISIT follows a practice of incremental program 
development through a series of increments, or mission capability enhancements 
(MCEs), intended to deliver discrete functional capabilities. Each proposed 
incremental investment is subjected to a cost-benefit analysis (CBA) to ensure that 
the investment is justified in terms of operational and/or economic value delivered. 
CBAs are performed in accordance with a cost-benefit process that conforms to the 
requirements of OMB Circular A-94, the DHS CBA Workbook, and DHS MD-1400. 
Specifically, where feasible, benefits are monetized and compared to correlated costs 
to derive the investment's net present value. 

To ensure uncertainties related to the investment are fully factored in the analysis, the 
estimates for both monetized benefits and costs are subjected to uncertainty analysis, 
yielding a risk-adjusted return on investment for each alternative considered. 
Recognizing that the quality and precision of the CBA plays a key role in any 
investment decision, US-VISIT continues efforts to strengthen its capabilities in this 
area through such actions as establishment of a Cost Process Action Team to assist in 
refining the program's cost analysis policies and procedures, the creation of a US- 
VISIT cost estimation and analysis process document, and the acquisition of 
professional services in the areas of life cycle cost modeling and independent cost 
analysis. CBAs underway are currently monitored and reviewed for compliance with 
OMB and Software Engineering Institute cost and cost-benefit guidelines. 

7. Recommendation: Develop and implement a human capital strategy that provides for staffing 
open positions with individuals who have the requisite core competencies (knowledge, skills 
and abilities). 
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Please see response #4. 

8. Recommendation: Develop and implement a risk management plan and ensure that all high 
risks and their status are reported regularly to the appropriate executives. 

DHS Response: US-VISIT officials agree with this recommendation and have 
demonstrated efforts to satisfy this recommendation. The US-VISIT Program 
published a revised Risk Management Plan in 2nd Quarter FY07. As the risk 
management program continues to mature, US-VISIT has observed that the risk 
management processes (as detailed in the Risk Management Plan) are being applied 
throughout the program. Utilization of the US-VOICE risk database, bi-monthly 
meetings of the Risk Review Council (RRC), periodic Risk Review Board (RRB) 
meetings, vertical and horizontal communications to stakeholders, monthly Risk 
Status Reports provided to the RRC and RRB, and frequent training help to ensure 
that risk management is part of the US- VISIT culture. 

In the area of training, US-VISIT provided risk management training classes to US- 
VISIT personnel (government and contractors) in accordance with the US- VISIT 
Risk Management Plan-classes covered the theory of risk management and the five 
risk management processes. Since March 2006, risk management training has 
included the application of the US- VOICE risk management database and scenarios 
to instruct students in the planning, identification, analysis, handling, monitoring, and 
control of risks and issues. High priority risks will be communicated from the US- 
VISIT Director to the Under Secretary of NPPD. In addition to RRBs, high priority 
risks are briefed to the US- VISIT Senior Leadership and US- VISIT staff at quarterly 
Program Management Reviews (PMRs). US-VISIT provided GAO officials with the 
most recent Risk Management Plan dated February 2007. 

9. Recommendation: Define performance standards for US-VISIT that are measurable and 
reflect the limitations imposed on US-VISIT Capabilities by relying on existing systems. 

DHS Response: US-VISIT officials agree with this recommendation and have 
demonstrated efforts to satisfy this recommendation. US-VISIT completed the 
selection process for tools to support database management, application management, 
enterprise management console, event/fault management, and performance 
management. US- VISIT has formalized an enterprise modeling process to provide 
decision support and alternatives analysis for meeting business process performance 
expectations by analyzing the end-to-end effects of the physical environment, 
network capacity, and performance requirements and back-end system performance. 
The models have been used for simulation and analysis to provide the Unique Identity 
(UI) Project with the right set of decision-making elements for the implementation of 
the right combination of inspection processes, technical architecture, and supporting 
infrastructure. US-VISIT has negotiated Interface Control Documents/Agreements 
(ICD/ICA) with those organizations with whom information is to be generated or 
shared. Included in these agreements generally are Service Level Agreements 
regarding timeliness, reliability and availability. 



Page 160 



GAO-07-1065 Homeland Security 



Appendix II 

Comments from the Department of Homeland 
Security 



7 

To ensure that US-VISIT systems meet internal performance commitments, an 
Architecture Improvement Design and Prototype Team has been established to 
engineer and build prototypes to verify or clarify the various enhancements and 
changes to the current IDENT system during the modernization phase of the Unique 
Identity Program. The specific goals of the prototypes include: 

• determining the viability of specific Commercial Off the Shelf 
Technology (COTS) products (e.g., biometric middleware, reporting 
architectures, and non-incumbent matcher solutions) to reduce costs of 
matching and reporting results; 

• identifying the most viable architectural alternative for the given feature; 

• evaluating, where possible, the performance of the architecture; 

• assessing the reliability, maintainability, and availability of the 
architecture; 

• assessing and prototype implementation alternatives to enhance security 
features; 

• estimating required architecture sizing to meet long-term scale; and 

• determining the optimal tuning to enhance matching accuracy while 
reducing costs. 

In discussing its observations on the expenditure plan and management of US- VIS IT, GAO 
correctly comments that prime contract cost and schedule expectations are being met. GAO then 
states that aspects of the program continue to lack definition and justification. Specifically, GAO 
observed (page 9) a "lack of a well-defined and justified exit solution introduces the risk of 
repeating failed and costly past exit efforts." 

The overall impression created by this language is that the proofs of concept for exit operations 
at the air ports of entry (POEs) and 1-94 Radio Frequency Identification test operations at the 
land POEs were a failure because they did not immediately conclude with operational systems. 
GAO presents the proof of concepts as ends in themselves and implies that the experiences and 
empirical data gained from the proofs of concept were not worth their costs. In omitting any 
discussion of, and implicitly devaluing, the operational experience gained from the proofs of 
concept and how that data can or will be used in developing a more workable future system, the 
undertaking may, unfortunately, be considered a failure by GAO. We would draw a different 
conclusion. US- VISIT had always intended to end the proofs of concept and use what was 
learned. 

GAO did not include biographic exit procedures (as later described at pp. 134-135 of the draft 
report) in the June 2007 briefing material provided to the staffs of the Subcommittees on 
Homeland Security, Senate and House Committees on Appropriations (page 16, Acquisition 
Strategy, Description and History of Increments, Increment 1), notwithstanding its important 
historical and current use as part of the exit process. 

GAO informed the staffs of the subcommittees (page 33) that the fiscal year 2007 US-VISIT 
expenditure plan, related program documentation, and program officials' statements satisfied (in 
part or total) most, but not all, of the legislative conditions. Specifically, GAO discussed 
whether the plan, related program documentation and program officials' statements satisfied or 
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partially satisfied all aspects of the capital planning and investment control review requirements 
established by OMB, including OMB Circular A-l 1, part 7. 

We appreciate the opportunity to comment on this draft report. 

Sincerely, 




Director 

Departmental GAO/OIG Liaison Office 
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